The Financial Industry Regulatory Authority or “FINRA” recently published its Report on Selected Cyber Security Practices. FINRA is a self-regulatory organization within the financial industry, an industry that is highly motivated by information privacy and cyber security concerns. When FINRA releases information and recommendations on these topics, we should all take notice. The Financial Industry Regulatory Authority, or “FINRA,” has recently published its Report on
The report highlights several areas of ongoing concern to many employers:
- Establishing appropriate written information privacy and cyber security policies and procedures;
- Maintaining security at branch or satellite offices;
- Training employees to recognize and respond to phishing attacks;
- Learning to detect and defend against insider threats (such as disgruntled employees);
- Conducting reasonable security testing; and
- Reducing the spread of malicious software via employee-owned devices.
Every employer depends on the availability of their computer systems daily and possesses valuable information such as trade secrets, proprietary business information, and personally identifiable information regarding their employees. However, many employers, especially those that operate outside of the healthcare and financial industries, are often unaware of the information privacy and cyber security risks their organizations are exposed to, until a security breach or attack occurs.
To avoid making costly mistakes, employers in all industries should take a basic inventory of the information they possess and the risks posed by the release, interruption, or deletion of that information. This inventory can then be used to make wise decisions concerning reasonable security controls, such as adequate user authentication and/or a “Bring Your Own Device Policy” governing employee use of personal electronic devices.
Additionally, policies should be drafted and implemented to avoid creating a result that may cause an insurer to deny a claim for damages in the event of a breach of security. Policies should not generally be aspirational; rather, they must reflect controls that have been implemented. For example, a company may intend to start requiring two-factor authentication to access certain company accounts, as required by its written policy, and fail to follow up with the necessary implementation. If those accounts are compromised, an insurer may deny a claim because the company knew there was a heightened risk to those accounts and failed to adequately protect them.
Written policies should also include sufficient detail to provide appropriate security while allowing for reasonable deviation in implementation. A company may be tempted to provide minute details regarding actions to be taken in response to a breach. But, if the company fails to adhere to all of those detailed provisions, the insurer may find cause to deny payment for some portion of the company’s damages.
The cost of implementing most of FINRA’s recommendations will vary depending on a company’s needs and financial commitment to security. Some companies justifiably strive to turn their network and computer systems into a digital “Fort Knox,” by implementing costly controls recommended by various organizations. While that may not be possible for everyone, all companies can benefit from implementing controls that are appropriate and cost effective for their size and industry, including the controls discussed above.
Eliza Scott Jones is an associate with Woolf, McClane, Bright, Allen & Carpenter PLLC and a former computer programmer and security professional. She provides counsel for legal matters related to information privacy and cyber security.