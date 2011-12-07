* Information security at brokerages examined
* Concerns include login practices, network access
* Regulator to report findings to industry
By Suzanne Barlyn
Dec 7 Brokerages now have another reason to
review technology safeguards: regulators are paying attention.
The Financial Industry Regulatory Authority is taking a
closer look at cyber-security to better understand how firms
protect client data from hackers, viruses and other threats,
according to Susan Axelrod, head of FINRA's member regulation
sales practice unit.
The review is part of a series of "thematic" examinations
the regulator launched in 2010 and ramped up this year.
Thematic exams focus on how brokerages are controlling major
risks of concern to FINRA.
Information security is serious business for brokerage
firms, which keep sensitive financial details about their
clients and employees.
Cyber crimes cost between $1.5 million to $36.5 million
each year per company, according to the Ponemon Institute LLC
in Traverse City, Michigan that researches information security
policy issues. The study was sponsored by ArcSight LLC, a unit
of Hewlett-Packard Co .
"We're just being thoughtful and strategic," Axelrod said.
FINRA has completed four of five planned on-site reviews and
has selected 237 firms to complete a written survey, in which
almost all participated, she said.
Thematic reviews are different from FINRA's more
traditional "targeted sweep" examinations, in which it looks at
firms' compliance with a specific area of securities
regulation, Axelrod said.
FINRA plans to report its findings to the brokerage
industry with official guidance or informal remarks with
brokerages. It also plans industry conferences, said Axelrod.
Axelrod identified potential risks and Reuters asked
technology professionals to offer potential solutions:
THE PROBLEM: Some firms have a one-step process for
employees to login to a company system that holds personal
details about clients. A two-step process can be more secure.
THE FIX: Be choosy about which employees and contractors
have access to which data.
Some employees who need specific information regularly --
such as details about their clients or their units -- are
typically safe to have one-credential access, say technology
professionals. But consider a two-step process for those who
need access to information that is more relevant to other
divisions or offices.
THE PROBLEM: Broker-dealers that have acquired or merged
with other companies may not have consistent security
standards.
THE FIX: Develop new information security policies for the
whole organization, says Joseph Rivela, who advises companies
on information security and privacy for consultancy Protiviti
Inc, a unit of Robert Half International .
That doesn't always require creating an entirely new
system, he said. Instead, streamline existing systems by
choosing the policies and systems based on best practices as
set by industry guidelines.
Software that helps scan networks for potential security
gaps can also help. Costs can run from about $15,000 to
$100,000, depending on a firm's size.
THE PROBLEM: Some firms let contractors and employees
access the company's network from their personal computers. The
practice increases the risk of outside threats, including
viruses and other malware.
THE FIX: Require everyone to use company-issued computers,
says Larry Goldfarb, senior sales executive at StarCompliance,
a technology firm. Outside computers "are basically bringing
germs into the company every day," he says.
Brokerages that have a good reason for allowing outside
computers -- such as those used by contractors or employees
working at home -- should not allow access to data via the
company's network, says Goldfarb, a former compliance officer
for UBS AG
"Virtualization software," available through companies such
as Microsoft Corp and Citrix Systems Inc ,
allows access to email and certain client data, but users have
to save documents on the website, not their own computers or
flash drives. The software effectively transforms outside
computers into terminals, says Goldfarb.
"That would solve a lot of the problems," he says.