FINRA Financial Industry Regulatory Authority

FINRA Discusses Cyber-security Threats

FINRACyber-security continues to be a grave concern by firms governed by FINRA, the Financial Industry Regulatory Authority.

FINRA’s latest webcast was about a recent report FINRA released on the topic of cybersecurity and it was roundtable discussion of: FINRA’s Senior Vice President of Member Relations and Education Chip Jones, Chief Information Security Officer John Brady, Senior Director Steve Polansky and Kansas City Surveillance Director Dave Kelley.

The webcast was put on in conjunction with a report that FINRA released as well.

During the discussion, Polansky said, “when we talk to firms, that’s frequently the number one threat they cite from an operational risk standpoint.”

FINRA put out a similar report in 2015.

Polansky discussed what has changed, “The difference between this report and the 2015 report is that the 2015 report is really about how to establish a cybersecurity program for a firm, this report looks at five areas such as branch controls, insider threats, penetration testing, to help firms understand how to address those specific challenges.”

The 2015 report was broad while this was “targeted” Polansky noted further.

The five areas of the report: Branch controls, phishing, insider threats, penetration testing, and mobile devices- were chosen, said Kelley, “based on what we’re seeing as we’re talking to firms.”

FINRA is referred to as a self-regulatory organization (SRO), similar to the American Bar Association, and it was formed when the regulatory arm of the NYSE and NASDAQ combined.

Branch Controls:

Of branch controls, the report stated, “FINRA has observed that some firms face challenges maintaining effective cybersecurity controls at their branch locations. Branches’ autonomy from the home office may adversely affect firms’ ability to implement a consistent firm-wide cybersecurity program. Some firms may experience increased challenges if their branches may, for example, purchase their own assets, use nonapproved vendors or not follow their firms’ software patching and upgrade protocols. Similarly, representatives working from home may require even further oversight and technological support to comply with firm standards. As a result, firms should evaluate whether they need to enhance their branch-focused cybersecurity measures to maintain robust cybersecurity controls and protect customer information across their organizations.”


Phishing is a broad term for all sorts of email scams. The report specifically noted, “Social engineering or “phishing” attacks are one of the most common cybersecurity threats firms have discussed with FINRA. Phishing attacks may take a variety of forms, but all of them try to convince the recipient to provide information or take an action. Although some phishing emails are distributed to millions of recipients, other attempts are thoroughly researched and carefully customized to reach one or more selected individuals (e.g., an individual who attackers have determined is likely to have administrator privileges), while a related attack targets one  or more senior firm personnel (e.g., the CEO or CFO). (These types of attacks are referred to as ‘spear phishing’ and ‘whaling’ respectively, but we refer to them collectively as ‘phishing in  the remainder of this document.)

“In a phishing event, the attackers try to disguise themselves as a trustworthy entity or individual via email, instant message, phone call or other communication, where they request PII (such as Social Security numbers, usernames or passwords), direct the recipient to click on a malicious link, open an infected attachment or application or attempt to initiate a fraudulent wire transfer.”

John Brady, Chief Information Security Officer - Cyber-security Threats
John Brady, FINRA Chief Information Security Officer

Insider Threats:

Of insider threats, the report noted, “Insider threats remains a critical cybersecurity risk because an insider typically circumvents many firm controls and may cause material data breaches of sensitive customer and firm data. Whether due to malicious behavior—such as a bad actor who plans to sell customer account data on the dark web—or inadvertent error—such as a registered representative who loses his or her laptop or other storage media with unencrypted customer PII—insiders are in a unique position to cause significant harm to an organization. In response to the 2017 and 2018 FINRA Risk Control Assessment (RCA), the vast majority (95-99 percent) of higher revenue firms and 66 percent of  mid-level revenue firms indicated that they address insider threats in their cybersecurity programs.

“’Insiders’ include individuals who currently have or previously had authorized access to firm systems and data because of their function or role and include individuals such as full and part-time employees, contract or temporary employees, consultants and interns, but they may also include employees or contractors of third-party vendors and sub-contractors.”

Penetration Testing:

This involves the system being tested by employees or hired outside contractors to see if the system at a particular firm or even at FINRA, which has its own penetrating testing done to its systems, can be penetrated.

The report stated, “Penetration testing (or a pen test) is an important element in many firms’ cybersecurity programs.  A pen test simulates an attack on a firm’s internally- or externally-facing computer network to determine the degree to which malicious actors may be able to exploit vulnerabilities in the network and evaluate the effectiveness of the firm’s protective measures. For example, one particular type of pen test focuses on a firm’s web application to evaluate its security design and associated databases (e.g., a firm’s public website where employees, representatives or customers log in to access account and position data, including PII or other confidential information).

“The pen test process requires an active analysis of a firms’ network, applications or other targets for any weaknesses, technical flaws, gaps or vulnerabilities. Such testing often involves both automated scanning tools and manual techniques and may include social engineering. Any identified security issues would be presented to the business owner and information technology management, together with an assessment of the impact, risk classification of findings, and a proposal for mitigation or a technical solution.”

Mobile Devices

Of mobile devices, the report noted, “The widespread and expanding use of mobile devices creates new opportunities for attacks on sensitive customer and firm data. Employees, customers, consultants and contractors may regularly use smartphones, tablets, laptops and other devices for a variety of activities, including communication, trading, receiving investment alerts, money transfers and account monitoring. As the industry becomes more reliant on mobile devices, risks associated with this technology continue to increase.

“Firm and personal mobile devices are exposed to risks including, but not limited to, malicious advertisements and spam communication; infected, cloned or pirated mobile applications; vulnerabilities in mobile operating systems; and phishing, spoofing or rerouting of calls, emails and text messages (see Phishing section of this report above). Although all firms offering access to their systems through mobile devices face such risks, firms with large numbers of retail customers may be subject to greater exposure and should consider especially rigorous implementation of cybersecurity controls to protect firm and customer information.”


John Brady as FINRA’s Chief Information Security Officer, is responsible for worrying about cyber threats to FINRA’s systems.

He has been in  this position since 2015. He said that he sleeps much better but still worries about the threats caused by third parties with access to FINRAs systems.