Where Do FINRA’s Red Flags Rules Fit Alongside Latest SEC Proposals?

U.S. organizations might be surprised by the recent onslaught of information security requirements issued by the SEC (Securities and Exchange Commission).

It has put forward two proposals aimed at regulating cybersecurity: the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure and the Cybersecurity Risk Management Rule for Broker-Dealers.

In fact, this has been an area of concern for FINRA (Financial Industry Regulatory Authority) for years. FINRA is a private American corporation for the finance industry that regulates member brokerage firms and exchange markets. It was set up to oversee the U.S. financial markets under the SEC’s supervision.

The main cybersecurity-related rule that FINRA has helped enforce is the Red Flags Rule (Regulation S-ID (Identity Theft Red Flags) 17 CFR § 248.201).

It requires member firms to develop and implement “a written program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of ‘covered accounts.’”

The SEC’s newest proposals would require certain organizations to establish, maintain, and enforce written policies and procedures that are reasonably designed to address the their cybersecurity risks.

In essence, this requirement is very similar to the present rule, which members of FINRA should have already adopted.

Protecting customers

As part of compliance with the present SEC Rule 30, member organizations should have protected “sensitive customer information or confidential firm data from being exposed to, or copied by, nonauthorized individuals or threat actors.”

The proposed rule is the same – organizations must protect customer information.

As part of the FINRA risk monitoring program, member organizations are asked if they maintain an incident response plan. Incident response plans are also a requirement in the new rule as part of any good cybersecurity framework.

Under FINRA, organizations are required to consider the steps they take to ensure only authorized employees, customers, or contractors receive authenticated access to their systems.

The requirement under the proposed rule “would specify that the Covered Entity’s cybersecurity risk management policies and procedures must include controls designed to minimize user-related risks and prevent unauthorized access to the Covered Entity’s information systems and the information residing on those systems.”

The remaining two requirements in the new rule that are not directly addressed by the present FINRA rules are risk assessment and cybersecurity threat and vulnerability management.

To comply with the proposed rules, financial organizations must add these two requirements to their cybersecurity frameworks.

The first, risk assessment, is essential for many reasons, the most important being the cybersecurity budget. Organizations store many different types of information, and not all the information carries the same risk.

If a type of information cannot be monetized, there is often little incentive to steal it. So, less money needs to be spent to protect it.

Zero trust

For an organization to understand its risk, it needs to know what information it has, where that information is, and the value of that information. This process is also necessary to implement the best cybersecurity – zero trust.

According to NIST 800-207, there are three things organizations must do to implement a zero-trust architecture: decide what they need to protect, map the transaction flows, and place the controls as close as possible to the valuable information to define a micro-perimeter.

Cybersecurity threat and vulnerability management measures are also not presently in the FINRA guidelines. But as with risk assessments, they are an integral part of good cybersecurity.

An organization must create “measures designed to detect, mitigate, and remediate any cybersecurity threats and vulnerabilities with respect to the firm’s information systems.”

It’s true that these are not yet mandatory. The FINRA suggestions are at best guidelines or ‘considerations,’ while the SEC’s proposals have not yet been passed.

No doubt the financial industry and its lobbyists are pushing back against the imposition of more regulation. However, there is something much stronger at work in the finance industry.

According to a Cisco survey, 94% of organizations said their customers would not buy from them if their data was not properly protected. Financial assets are often a consumer’s most valuable asset.

Choosing an organization that protects those assets is or will be an integral part of a value proposition. Safety of financial assets will also be important for promoting an organization