Today, we explore what the Financial Industry Regulatory Authority (FINRA) requires with regards to penetration testing. FINRA is authorized by Congress to protect America’s investors by making sure the broker-dealer industry operates fairly and honestly. FINRA has continued to strengthen their stance and recommendations on cybersecurity as the financial industry has evolved.
Does FINRA Require Penetration Testing?
No. FINRA does not have a requirement for penetration testing. However, they highly recommend penetration testing as part of their Report on Selected Cybersecurity Practices. This report presents FINRA’s observations regarding effective practices that firms have implemented to address select cybersecurity risks, while recognizing that there is not a one-size-fits-all approach to cybersecurity. They detail their guidance on penetration testing starting on page 13 of the report. Below are the highlights:
“…. The utility of pen tests is less a function of firm size, however, and much more a function of a firm’s business model and technology infrastructure. For example, pen tests are highly relevant to firms that provide online access to customer accounts. FINRA has observed higher, mid-level and lower revenue firms that conduct pen tests. Other factors these firms consider in evaluating the relevance of penetration testing include the degree to which they manage or store confidential or critical data such as trading strategies, customer PII, information about mergers and acquisitions or confidential information from other entities (for example, in the case of clearing firms).”
Additionally, FINRA details the following practices that have been implemented when conducting penetration testing:
- Adopting a risk-based approach to penetration testing;
- Thoroughly vetting their testing providers;
- Establishing contractual provisions that carefully prescribe vendor responsibilities;
- Rigorously managing and responding pen test results;
- Periodically rotating testing providers to benefit from a range of skills and expertise
The report goes on to provide additional details on each one of the practices which can be extremely valuable, especially for companies that may have an immature security program. As most financial institutions hold extremely valuable PII, such as social security numbers, we highly recommend that they conduct annual penetration tests, at a minimum. If you are in need of a penetration test to satisfy FINRA recommendations, please contact us today!