The United States Financial Industry Regulatory Authority (FINRA) has added its voice to the growing chorus of regulators and institutions warning of the “Log4Shell” vulnerability in Apache Log4j software.
FINRA has issued an alert to member firms about a recently identified vulnerability in Apache Log4J software, which is an open-source, Java-based logging utility widely used by enterprise applications and cloud services. The “Log4Shell” vulnerability presents risk for member firms because they may be using this software in internal applications, or the software may be embedded in third-party software packages.
In addition, many applications written in Java are potentially vulnerable.
Bad actors may take advantage of this vulnerability to compromise systems to potentially steal information or engage in fraudulent activities. For example, a remote attacker can exploit this vulnerability to take control of an affected system.
FINRA reminds firms that the U. S. Securities and Exchange Commission’s (SEC) Regulation S-P Rule 30 requires firms to have written policies and procedures that are reasonably designed to safeguard customer records and information and FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) also applies to denials of service and other interruptions to members’ operations. I
n addition to firms’ compliance with SEC regulations, FINRA expects firms to develop reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations.
FINRA recommends member firms consider engaging their Technology staff along with third-party vendors, including any IT service providers, and taking the following steps:
- Leverage indicators of compromise (IOCs) associated with the vulnerability;
- Consider evaluating firm (and, if applicable, vendors’) firewalls to address additional risks relating to the vulnerability;
- Review firms’ internally maintained application systems to determine if any are at risk from the vulnerability;
- Evaluate third-party vendors’ systems to determine whether they have been impacted by the vulnerability;
- Continue monitoring threat information and updates through multiple intelligence sources.
The UK Financial Conduct Authority (FCA) has also issued a similar notice to firms it regulates.