<p class = "canvas-atom canvas-text Mb (1.0em) Mb (0) – sm Mt (0.8em) – sm" type = "text" content = "Kim Kiefer Peretti of Alston & Bird / photo courtesy

"Cybersecurity practices need to be current and adaptable to the current threat landscape," he said. Kimberly Kiefer Peretti, Partner and Co-Chair of Alston & amp; Birds Cyber ​​Security Preparedness and Response Team in Washington, DC, on the latest report from the Financial Regulatory Authority Report on Selected Cybersecurity Practices 2018.

The recently published FINRA report provides advice to brokerage firms of varying sizes on how to mitigate the risks of cyber attacks and data theft by other means. FINRA is a non-profit, self-regulatory organization that registers investment dealers and ensures compliance with federal securities laws and FINRA rules. It is supervised by the US Securities and Exchange Commission.

When publishing the 2018 report, Steven Polansky, Senior Director and Head of Member Supervision at the FINRA office in Washington DC, said: "There is no single approach to cybersecurity. FINRA has therefore given priority to providing reports and other tools to help them determine the right set of practices for their own business. "

It's a urgent topic as the number and severity of cyberattacks against financial institutions and others continue to increase. In September, for example, the SEC announced that an investment broker and advisor based in Des Moines, Iowa, & nbsp;Voya Financial Advisors Inc., agreed to pay $ 1 million Address charges related to breaches of cybersecurity policies and procedures that have resulted in an intrusion that affects the personal information of thousands of customers. SEC has indicted Voya Financial for breaking & nbsp; the federal guarantee rule and the red flag identity theft rule, its first action under the red flags rule. Intruders apparently had access to customer data by prompting the IT support department to reset the passwords by pretending to be financial representatives, who were independent subcontractors.

"This case reminds investment dealers and advisors that cybersecurity procedures need to be reasonably designed to fit their specific business models," said Robert Cohen, Head of Cyber's Disbursement Division. implementation of the SEC, announcing the regulation. "They also need to review and regularly update procedures to cope with the risk changes they face." & Nbsp;

The FINRA report explains how to defend against this type of security breach and others. It is organized around five main themes: cybersecurity controls in branches; methods of limiting phishing attacks; identify and mitigate internal threats; elements of a rigorous penetration testing program; and establishing and maintaining controls on mobile devices, according to a press release issued by the authority when publishing the report. The report updates an & nbsp; similar to the one published by FINRA in 2015.

The new report is more specific and more detailed than the 2015 edition, listing practices, for example, in branch control, including the need to provide written supervisory procedures. A section on phishing details how to detect phishing emails that appear to come from other executives, senior managers, customers, acquaintances or the company's helpdesk, and how to educate representatives and employees about them.

"This is not only about various controls, but also a continuous review of the effective practices used by other companies," Peretti said, adding that the report provided insight into common types of attacks, but also the way he is. "

For example, at the branch level, the report recommends "to require branch staff to inform branch management and respond appropriately in the event of violation of the cybersecurity standards of the branch." business or hardware incidents of cybersecurity involving the loss of confidentiality, availability or integrity of the customer's personally identifiable information or sensitive business data. "

Cybersecurity practices must "Be adapted to the entity. It should be risk-based for your organization, "said Peretti, who former litigator with the US Department of Justice's Computer Crime and Intellectual Property Section and Senior Prosecutor, TJX Hacker-Ringleader Albert Gonzalez. Gonzalez & nbsp; conspired with other members of the ring to hack payment processors and networks that provide access to 180 million retail payment card accounts over several years, including TJX, Target Corp. It was condemned to 20 years and one day in 2010.

According to Peretti, both large and small institutions need to keep abreast of the latest methods and techniques used by organized criminals and state actors, and need to upgrade technologies and training in order to keep up with the times. evolution of their tactics.

Read more:

The SEC strikes Voya's financial advisers with a $ 1 million fine for cyber-crime

Costs of cybersecurity exceed prices

Securing the premises: simple tips to optimize cybersecurity"data-reactid =" 22 "> Kim Kiefer Peretti of Alston & Bird / courtesy photo

"Cyber ​​security practices must be current and appropriate to the current threat landscape," said Kimberly Kiefer Peretti, Partner and Co-Chair of Alston & Bird's Cyber ​​Security and Response Team at Washington, about the latest report of the Financial Regulatory Authority on Some Cyber ​​Security Practices 2018.

The recently published FINRA report provides advice to brokerage firms of varying sizes on how to mitigate the risks of cyber attacks and data theft by other means. FINRA is a not-for-profit, self-regulatory organization that registers brokers, ensures compliance with federal securities laws and FINRA rules. It is supervised by the US Securities and Exchange Commission.

When publishing the 2018 report, Steven Polansky, Senior Director and Head of Member Supervision at the FINRA office in Washington DC, said: "There is no single approach to cybersecurity. FINRA has therefore given priority to providing reports and other tools to help them determine the right set of practices for their own business. "

This is a matter of urgency, as the number and severity of cyberattacks against financial institutions and others continue to increase. In September, for example, the SEC announced that Voya Financial Advisors Inc., a broker and investment advisor based in Des Moines, Iowa, had agreed to pay $ 1 million to pay for the non-compliance charges. Cyber ​​security policies and procedures an intrusion that has violated the personal information of thousands of customers. The SEC accused Voya Financial of violating the federal guarantees rule and red flag identity theft by the federal government, its first action under the red flags rule. Intruders apparently had access to customer data by prompting the IT support department to reset the passwords by pretending to be financial representatives, who were independent subcontractors.

"This case reminds investment dealers and advisors that cybersecurity procedures need to be reasonably designed to fit their specific business models," said Robert Cohen, Head of the Cyber ​​Unit of the Investment Enforcement Division. SEC, announcing the settlement. "They also need to review and regularly update procedures to deal with the changing risks they face."

The FINRA report explains how to defend against this type of security breach and others. It is organized around five main themes: cybersecurity controls in branches; methods of limiting phishing attacks; identify and mitigate internal threats; elements of a rigorous penetration testing program; and establishing and maintaining controls on mobile devices, according to a press release issued by the authority when publishing the report. The report updates a similar publication of FINRA published in 2015.

The new report is more specific and more detailed than the 2015 edition, listing practices, for example, in branch control, including the need to provide written supervisory procedures. A phishing section explains in detail how to detect phishing emails that appear to come from other leaders, top managers, customers, acquaintances or the company's help desk. , and how to educate representatives and employees about them.

"This is not only about various controls, but also a continuous review of the effective practices used by other companies," Peretti said, adding that the report provided insight into common types of attacks, but also the way he is. "

For example, at the branch level, the report recommends "to require branch staff to inform branch management and respond appropriately in the event of violation of the cybersecurity standards of the branch." business or hardware incidents of cybersecurity involving the loss of confidentiality, availability or integrity of the customer's personally identifiable information or sensitive business data. "

Cybersecurity practices must "be appropriately adapted to the entity. This should be risk-based for your organization, "said Peretti, a former senior litigator with the Computer Crime and Intellectual Property Section of the US Department of Justice, and senior prosecutor with TJX's Attorney General Albert Gonzalez. Gonzalez has conspired with other ring members to hack payment processors and networks, giving 180 years access to 180 million credit card accounts at retailers, including TJX, Target Corp. He was sentenced to 20 years and one day in 2010.

According to Peretti, both large and small institutions need to keep abreast of the latest methods and techniques used by organized criminals and state actors, and need to upgrade technologies and training in order to keep up with the times. evolution of their tactics.

Read more:

The SEC strikes Voya's financial advisers with a $ 1 million fine for cyber-crime

Costs of cybersecurity exceed prices

Securing the premises: simple tips to optimize cybersecurity