Get an IT security tech’s take on cybersecurity compliance, using the FINRA cybersecurity checklist for small- to mid-sized businesses.
FINRA’s “Checklist for a Small Firm’s Cybersecurity Program” is an excellent cybersecurity tool for small to medium-sized (SMB) financial advisor firms. Use these tips to complete it to keep your clients’ sensitive data (and your business) much safer.
Before we begin, be sure to download the FINRA Cybersecurity Checklist.
Pro Tip: Look at this with IT staff or an outsourced IT service vendor with cybersecurity experience. Delegate the information gathering and input as you see fit, but stay involved throughout the process.
3 Tips for Navigating the Checklist
1. Don’t Skip the “Overview” and “Resources” Tabs
The Overview tab explains the document’s purpose and methods. It asks five questions that will determine which of the 12 sections you should complete.
Pro Tip: Most financial services SMBs should complete all 12.
The Resources tab includes helpful background links for each of the 12 sections. The links (to sources like NIST, FINRA and AICPA) give you background information on why the checklist asks for the information that it does.
2. Read the Footnotes
When you see asterisks throughout this spreadsheet, scroll down and check the footnotes — they’re usually quite helpful definitions, details, and instructions.
3. Scroll Down for Important Info
Some tabs have key sections hidden 30 to 40 rows down, so look for those. We’ll note some of them in the following hints for each section.
Tips for Completing the FINRA Cybersecurity Checklist’s 12 Sections
The following tips aren’t intended to be complete instructions for completing each of the checklist’s sections. Instead, many of these tips come from the questions we’re typically asked when helping clients complete this checklist.
Section 1: Identify and Assess Risks - Inventory
The first two columns ask what data your company has and where it is stored.
A good way to get started with this is to look at the information you gather from a new client. What data do you collect and where does it go?
The third column asks you to assess the risk level.
It can be helpful to assess the potential damage done to those whose private financial data has been compromised, in order to determine whether the risk is high, medium, or low.
Section 2: Identify and Assess Risks - Minimize Use
This builds on your Section 1 entries. For each data category you entered, decide whether your firm:
- Really needs it, and/or;
- Really needs to share it.
You might be surprised how much data you collect that you don’t need. Shed that data and the unnecessary risk it represents.
Section 3: Identify and Assess Risks - Third Parties
When creating a list of third-party entities that have access to your data, do not limit it to just those with staff who can access it, such as your IT services provider, accountant or payroll service. You should also include providers of products and services you use to store and move data (e.g., Dropbox, Box.com, or Salesforce).
To ensure proper vendor management, refer to the checklist starting at row 62 for the necessary steps you should be taking.
Section 4: Protect - Information Assets
For each sensitive data category you listed in Section 1, enter how that “information asset” is protected. But when you do, ask yourself whether the protections actually work.
- Password protected? If so, have you reset the default password?
- Malware/antivirus/firewall installed? If so, have all updates/patches been installed?
Starting in Row 56 is a checklist of password best practices.
Section 5: Protect - System Assets
Unlike the usual definition of “asset” for financial services pros, in this context the asset is data. The “system” is what stores and/or processes the data, such as your CRM, HR, or project management software.
Section 6: Protect - Encryption
The footnotes are helpful for explaining encryption basics, but for non-experts, it’s best to seek help from IT staff or vendors.
Most small companies (and big companies too) aren’t encrypting data when sending it through internal email. Microsoft and other email platform providers have some tools to protect that type of data. Again, get help with enacting these protections.
Section 7: Protect - Employee Devices
This section asks you to list all devices that have access to personally identifiable information (PII). This includes personal devices such as smartphones and tablets that employees use to check their work email.
You also need to enter how each device is protected. Protections should include encrypting your data and wiping sensitive data from devices belonging to terminated employees. Also, consider preventing employees from saving any business data to their mobile devices.
Section 8: Protect - Controls and Staff Training
The training section doesn’t mention specific types of cybersecurity training, but there’s one area you should consider: How to spot phishing attempts. Because phishing is the fastest way for an outsider to hack your system. Training should include regular fake phishing emails to see how well the training is working.
However, it is equally important to monitor the activities of all individuals who have administrative access, including those with email system admin rights. Hackers are eager to obtain accounts with admin rights to gain maximum access to your sensitive data.
Pro Tip: Remember to turn on two-factor authentication on any admin account.
Section 9: Detect - Penetration Testing
Penetration testing, also known as “white hat” hacking, is when the good guys emulate malicious hackers to find vulnerabilities in your IT infrastructure that you need to fix.
Section 10: Detect - Intrusion
This section is all about whether you have an intrusion detection system (IDS). The simple description of an IDS is a subscription service you add to your firewall.
Pro Tip: If you have an outsourced IT vendor doing your network monitoring, ask about the IDS, and whether it includes the “IDS Controls” that start on row 21.
Section 11: Response Plan
This is another section for which you should probably get expert help. But read through it because it has excellent information about what may be necessary to respond to when a data breach occurs.
The meat of this section isn’t until line 38, where you get a description of potential attacks you may need to respond to, and links to some good resources.
Beginning on line 79 is a checklist of important “governance” steps you should be taking – such as buying cyber liability insurance.
Section 12: Recovery
This section about recovery. What happens after a cyber incident is really a great guide for six controls you should have in place before a cyber incident.
Translation for the control described in line 13: Use continuous network monitoring that logs unusual network activity. So, when something bad happens, you can tell whether you’re vulnerable to getting hit in a similar way again.
Why It’s a Mistake to Ignore This Checklist
You’re probably no stranger to cybersecurity checklists. One reason some of my clients say they haven’t paid attention to them before is that they believe their parent company, broker-dealer, or some other entity further up the ladder handles all that cyber stuff. That’s almost never true.
And it could be a very costly mistake if a data breach results in a lawsuit, and you can’t show that you had a good cybersecurity plan in place when the breach occurred.
This FINRA checklist takes more to complete than checking yes or no on a long list of cybersecurity controls. It takes considerable time and effort. But that’s a good thing.
If you work with your IT staff and/or vendors to complete this document, you’ll have the bones of a strong cybersecurity program.