The Financial Industry Regulatory Authority (FINRA) announced at its recent 2016 Annual FINRA Conference in Washington DC that it has created a Cybersecurity Checklist to assist small member firms in establishing a cybersecurity program to assist small firms in establishing a cybersecurity program to identify and assess cybersecurity threats, protect assets from cyber intrusions, detect when their systems and assets have been compromised, plan for the response when a compromise occurs, and implement a plan to recover lost, stolen or unavailable assets.
Sub-sections included in this checklist include the following:
- Identifying and inventorying risks;
- Protecting information assets from breaches and cyber intrusions,
- Importance of encryption;
- User controls and staff training;
- Detecting when their systems and assets have been compromised;
- Planning for the response when a compromise occurs; and
- Implementing a response plan to recover lost, stolen or unavailable assets and respond to notice requirements.
This cybersecurity checklist is primarily derived from the National Institute of Standards and Technology (NIST) Cybersecurity Framework and FINRA’s Report on Cybersecurity Practices. With this said, FINRA member firms need to know that the use of this checklist does not create a “safe harbor” with respect to FINRA rules, federal or state securities laws, or other applicable federal or state regulatory requirements, but if your firm has not met the minimal standards set out in the checklist, you can be sure your exposure to regulatory exposure and or cybersecurity threat is increased.