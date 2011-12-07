* Information security at brokerages examined

* Concerns include login practices, network access

* Regulator to report findings to industry

By Suzanne Barlyn

Dec 7 Brokerages now have another reason to review technology safeguards: regulators are paying attention.

The Financial Industry Regulatory Authority is taking a closer look at cyber-security to better understand how firms protect client data from hackers, viruses and other threats, according to Susan Axelrod, head of FINRA's member regulation sales practice unit.

The review is part of a series of "thematic" examinations the regulator launched in 2010 and ramped up this year. Thematic exams focus on how brokerages are controlling major risks of concern to FINRA.

Information security is serious business for brokerage firms, which keep sensitive financial details about their clients and employees.

Cyber crimes cost between $1.5 million to $36.5 million each year per company, according to the Ponemon Institute LLC in Traverse City, Michigan that researches information security policy issues. The study was sponsored by ArcSight LLC, a unit of Hewlett-Packard Co .

"We're just being thoughtful and strategic," Axelrod said. FINRA has completed four of five planned on-site reviews and has selected 237 firms to complete a written survey, in which almost all participated, she said.

Thematic reviews are different from FINRA's more traditional "targeted sweep" examinations, in which it looks at firms' compliance with a specific area of securities regulation, Axelrod said.

FINRA plans to report its findings to the brokerage industry with official guidance or informal remarks with brokerages. It also plans industry conferences, said Axelrod.

Axelrod identified potential risks and Reuters asked technology professionals to offer potential solutions:

THE PROBLEM: Some firms have a one-step process for employees to login to a company system that holds personal details about clients. A two-step process can be more secure.

THE FIX: Be choosy about which employees and contractors have access to which data.

Some employees who need specific information regularly -- such as details about their clients or their units -- are typically safe to have one-credential access, say technology professionals. But consider a two-step process for those who need access to information that is more relevant to other divisions or offices.

THE PROBLEM: Broker-dealers that have acquired or merged with other companies may not have consistent security standards.

THE FIX: Develop new information security policies for the whole organization, says Joseph Rivela, who advises companies on information security and privacy for consultancy Protiviti Inc, a unit of Robert Half International .

That doesn't always require creating an entirely new system, he said. Instead, streamline existing systems by choosing the policies and systems based on best practices as set by industry guidelines.

Software that helps scan networks for potential security gaps can also help. Costs can run from about $15,000 to $100,000, depending on a firm's size.

THE PROBLEM: Some firms let contractors and employees access the company's network from their personal computers. The practice increases the risk of outside threats, including viruses and other malware.

THE FIX: Require everyone to use company-issued computers, says Larry Goldfarb, senior sales executive at StarCompliance, a technology firm. Outside computers "are basically bringing germs into the company every day," he says.

Brokerages that have a good reason for allowing outside computers -- such as those used by contractors or employees working at home -- should not allow access to data via the company's network, says Goldfarb, a former compliance officer for UBS AG

"Virtualization software," available through companies such as Microsoft Corp and Citrix Systems Inc , allows access to email and certain client data, but users have to save documents on the website, not their own computers or flash drives. The software effectively transforms outside computers into terminals, says Goldfarb.

"That would solve a lot of the problems," he says.