Since we are a FINRA Designated Third Party (D3P) currently doing data archiving for customers, I decided to help firms with cybersecurity too. So naturally I downloaded FINRA’s Cybersecurity Checklist for Small Firms in attempts to get some guidance, boy was I disappointed, and surely I’m not alone. I mean if you’re a small firm thinking FINRA is going to help with your cybersecurity plans these days, forget it.
FINRA’s Cybersecurity Checklist is old; I couldn’t actually find a date on the document, the closest thing I could get was a related download called Selected Cybersecurity Practices from 2018. Lots has changed since then, and a new approach is needed.
For example, in their original Cybersecurity Checklist there’s a laundry list of items where FINRA suggests firms configure encryption, monitor their firewalls, setup intrusion detection, be able to build systems from scratch if there’s a disaster, a plan to patch software and branch controls. But the fact is, almost all small FINRA firms have moved to the cloud or plan to (Microsoft 365 in particular). And cybersecurity on the cloud is a whole new ballgame: there’s no more in-house firewalls to monitor, encryption is built in, no need to patch software – Microsoft does that automatically. And disaster recovery is a moot point so is the idea of “branch offices” when a firm is fully moved to the cloud.
A New Cybersecurity Checklist
Although cybersecurity is simpler when a firm is on the cloud since they don’t have in-house systems to manage, there’s new kinds of threats. For example, on the Microsoft cloud you instantly become a bigger target because hackers can do a simple domain lookup and see you’re there, then they’ll pull out their bag of tricks, also everyone’s login username is their email address so a hacker only needs to glean users passwords, and it’s easy for the whole company to be compromised on the cloud if one person happens to download malicious code to the company SharePoint site – everyone is instantly infected.
Therefore, I created my own updated FINRA cybersecurity check list for small firms on the Microsoft Cloud.
One: Advanced Security Options Aren’t Enabled on Microsoft 365 by Default
The first thing to understand about Microsoft 365 is it’s not fully secured by default. For example, the advanced security options needed for the typical FINRA firm aren’t enabled out-of-the-box and to make the Microsoft Cloud secure the following needs to be checked off:
Two: Enable Advanced Alerts and Monitoring on the Microsoft Tenant
Also, by default alerts and monitoring aren’t enabled on Microsoft 365, this needs to be checked off for cybersecurity as well:
Three: Users’ Data Isn’t Backed up on Microsoft 365
Microsoft doesn’t backup users’ data stored on their cloud either. This means firms are still under threat from Ransomware if they can’t restore an infected data set and if anyone deletes files or emails, you can’t call Microsoft and ask them to restore it. So several important features are needed to backup and archive data:
Four: Security Awareness Training
Sign your Company up for Security Awareness Training Service. Basically, A security awareness training service will continually test and educate a firm’s employees about phishing, (the number one way hackers get in). Now, I am not going to get into all the details about nasty phishing is, but here is what you need to check off for security awareness training today:
Summary
FINRA’s cybersecurity Checklist is old, but the fact is, almost all small firms have moved to the cloud or plan to (Microsoft 365 in particular) – which is a whole new ballgame: no more in-house firewalls to monitor, encryption is built in, no need to patch software. Also, disaster recovery is a moot point so is the idea of having branch offices. Therefore, I created my own updated cybersecurity check list to help FINRA firms tackle security on the Microsoft Cloud.
About AdvisorVault
AdvisorVault is the only FINRA D3P with a Consolidated 17a-4 Service, designed to give small firms everything needed to meet today’s data compliance demands. Our turn-key approach performs the archiving, retention, and supervision of electronic records no matter where they are stored – in-house or in the cloud. Including the FINRA third party letters with all the required documentation. For one flat monthly fee it’s the only fully 17a-4 compliant option – Complete data compliance peace of mind, out-of-the-box.
Allan Lonz, President
alonz@advisorvault.org
direct: 416-985-0310
Toll free: 1-866-732-1407 ex 1
Leave A Comment