How to Use the FINRA Cybersecurity Checklist for Small Firms
For small to medium-sized financial advisor firms, the best cybersecurity tool you may never have heard of is FINRA’s “Checklist for a Small Firm’s Cybersecurity Program.” Follow these tips on completing it, and your clients’ sensitive data — and your business — will be much safer.
You can download the checklist here. Best advice: Look at this together with IT staff or an IT services vendor who has cybersecurity experience. Delegate the information gathering and input as necessary, but stay involved.
General Tips for Navigating the Checklist
Don’t skip the “Overview” and “Resources” tabs
- The Overview tab explains the document’s purpose and methods, and asks five questions that will determine which of the 12 sections you should complete (most financial services SMBs should complete all 12).
- The Resources tab includes helpful background links for each of the 12 sections. The links, to sources like NIST, FINRA and AICPA, give you background on why the checklist asks for the information that it does.
Asterisks are your friends: Read the footnotes
When you see asterisks throughout this spreadsheet, scroll down and check the footnotes — they’re usually quite helpful definitions, details, and instructions.
Scroll down and ye shall find
Some tabs have key sections hidden 30 to 40 rows down, so look for those. (We’ll note some of those in the following hints for each section.)
Tips for Completing the Checklist’s 12 Sections
The following tips aren’t intended to be complete instructions for completing each of the checklist’s sections. Instead, many of these tips come from the questions I’m typically asked when helping clients complete this checklist.
Section 1: Identify and Assess Risks – Inventory
- The first two columns ask what data your company has and where is it stored: A good way to get started with this it to look at the information you gather from a new client. What data do you collect and where does it go?
- The third column asks you to assess the risk level: High, medium, or low. To do that, it can help to consider the potential level of damage to those whose private financial data got into a criminal’s hands or was publicly exposed.
Section 2: Identify and Assess Risks – Minimize Use
- This continues to build on your Section 1 entries: For each data category you entered, decide whether your firm:
1. really needs it, and/or;
2. really needs to share it.
You might be surprised how much data you collect that you don’t need. Shed that data and the unnecessary risk it represents.
Section 3: Identify and Assess Risks – Third Parties
- Don’t include only third parties whose staff has access to your data, such as your IT services provider, accountant, or payroll service. Also include providers of products and services you use to store and move data, e.g. Dropbox, Box.com, or Salesforce.
- See the checklist-within-a-checklist starting in the row 62 for vendor management steps you should be performing.
Section 4: Protect – Information Assets
- For each sensitive data category you listed in Section 1, enter how that “information asset” is protected. But when you do, ask yourself whether the protections actually work. Examples:
– Password protected? If so, have you reset the default password?
– Malware/antivirus/firewall installed? If so, have all updates/patches been installed?
- Starting in Row 56 is a checklist of password best practices.
Section 5: Protect – System Assets
- Unlike the usual definition of “asset” for financial services pros, in this context the asset is data. The “system” is what stores and/or processes the data, such as your CRM, HR, or project management software.
Section 6: Protect – Encryption
- The footnotes are helpful for explaining some encryption basics, but really, if you’re not a cybersecurity expert, this is a good section to get help from your IT staff or vendor.
- Most small companies (and big companies too) aren’t encrypting data when sending it through internal email. Microsoft and other email platform providers have some tools to protect that type of data. Again, get help with enacting these protections.
Section 7: Protect – Employee Devices
- This section asks you to list all devices that have access to personally identifiable information (PII). This includes personal devices such as smartphones and tablets that employees use to check their work email.
- You also need to enter how each device is protected. Protections should include encrypting your data, and wiping sensitive data from devices belonging to terminated employees. Also, consider preventing employees from saving any business data to their mobile devices.
Section 8: Protect – Controls and Staff Training
- The training section doesn’t mention specific types of cybersecurity training, but there’s one area you should consider: How to spot phishing attempts. Phishing is the fastest way for an outsider to hack your system. Training should include regular fake phishing emails to see how well the training is working.
- You’ll be asked whether you monitor access to your system by employees and vendors. But also, you should monitor everyone who has administrative access, including everyone with email system admin rights. Hackers covet accounts with admin rights, to give them maximum access to your sensitive data. And remember to turn on two-factor authentication on any admin account.
Section 9: Detect – Penetration Testing
- Penetration testing is also called “white hat” hacking: When the good guys try to emulate the bad guys to find vulnerabilities in your IT infrastructure that you need to fix.
Section 10: Detect – Intrusion
- This section is all about whether you have an intrusion detection system (IDS). The English translation for the checklist’s description of an IDS: It’s basically a subscription service you add to your firewall.
- If you have an outside IT vendor doing your network monitoring, ask about the IDS, and whether it includes the “IDS Controls” that start on row 21.
Section 11: Response Plan
- This is another section for which you should probably get expert help. But read through it, because it has excellent information about what may be necessary to respond to when a data breach occurs.
- The meat of this section isn’t until line 38, where you get a description of potential attacks you may need to respond to, and links to some good resources. Beginning on line 79 is a checklist of important “governance” steps you should be taking (such as buying cyber liability insurance!).
Section 12: Recovery
- This section about recovery — what happens after a cyber incident — is really a great guide for six controls you should have in place before a cyber incident.
- Translation for the control described in line 13: Use continuous network monitoring that logs unusual network activity, so when something bad happens, you can tell whether you’re vulnerable to getting hit in a similar way again.
Why It’s a Mistake to Ignore This Checklist
You’re probably no stranger to cybersecurity checklists. One reason some of my clients say they haven’t paid attention to them before is that they believe their parent company, broker-dealer, or some other entity further up the ladder handles all that cyber stuff.
That’s almost never true. And it could be a very costly mistake if a data breach results in a lawsuit, and you can’t show that you had a good cybersecurity plan in place when the breach occurred.
This FINRA checklist takes more to complete than checking yes or no on a long list of cybersecurity controls — it takes considerable time and effort. But that’s a good thing.
If you work with your IT staff and/or vendors to complete this document, you’ll have the bones of a strong cybersecurity program.