Topic Page

Cybersecurity

Given the evolving nature, increasing frequency, and sophistication of cybersecurity attacks – as well as the potential for harm to investors, firms, and the markets – cybersecurity practices are a key focus for FINRA.

FINRA also reviews a firm’s ability to protect the confidentiality, integrity and availability of sensitive customer information. This includes reviewing each firm’s compliance with SEC regulations, including:

  • Regulation S-P (17 CFR §248.30), which requires firms to adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access
  • Regulation S-ID (17 CFR §248.201-202), which outlines a firm's duties regarding the detection, prevention, and mitigation of identity theft
  • The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)), which requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format

FINRA reviews firms' approaches to cybersecurity risk management, including: technology governance, system change management, risk assessments, technical controls, incident response, vendor management, data loss prevention, and staff training.

On this page

Small Firm Cybersecurity Checklist

FINRA has created a Checklist for a Small Firm's Cybersecurity Program (Excel 114 KB) to assist small firms in establishing a cybersecurity program to:

  • identity and assess cybersecurity threats, protect assets from cyber intrusions
  • detect when their systems and assets have been compromised
  • plan for the response when a compromise occurs
  • implement a plan to recover lost, stolen or unavailable assets

This checklist is primarily derived from the National Institute of Standards and Technology (NIST) Cybersecurity Framework and FINRA’s Report on Cybersecurity Practices.

Use of this checklist does not create a "safe harbor" with respect to FINRA rules, federal or state securities laws, or other applicable federal or state regulatory requirements.

2015 Report on Cybersecurity Practices

FINRA's Report on Cybersecurity Practices in the broker-dealer industry highlights effective practices that firms should consider to strengthen their cybersecurity programs.

The observations and practices in the report are based on a variety of sources, including a sweep we conducted in 2014 of firms of varying sizes and business models, a 2011 survey of firms and interviews with other organizations involved in cybersecurity. As we note in the report, there is no one-size-fits-all approach to a cybersecurity infrastructure. Rather, the risk management-based approach that we discuss in the report enables firms to tailor their program to their particular circumstances.

In Case of a Disruptive Attack or a Breach

Firms should get to know their local Federal Bureau of Investigation (FBI) and proactively plan for a cybersecurity attack or breach.

In case your firm is the victim of a disruptive attack or breach, for instance your data has been accessed or your customers cannot do business, you should immediately report the incident to your:

Vendors and Consultants

In an effort to provide enhanced compliance tools and resources, FINRA has developed the Compliance Vendor Directory (CVD). The FINRA CVD is designed to give firms more options in locating vendors that provide compliance-related offerings, including cybersecurity vendors and services.

Use of any products, services and/or materials offered by these vendors does not ensure compliance with regulatory requirements or create a safe harbor from regulatory responsibility. Firms should undertake their own assessments to determine whether the products or services meet their technology and security requirements. FINRA does not endorse these vendors or products, services or materials they offer and firms are not obligated to use them.

Non-FINRA Resources

FINRA has assembled a list of non-FINRA cybersecurity resources that firms may use to manage their cybersecurity risk. These resources include:

  • news and analysis
  • effective practices and guidance 
  • free diagnostic tools 

Use of any of these resources does not ensure compliance with FINRA's cybersecurity rules and policies.  FINRA does not endorse or guarantee any of the resources listed within. 

Comments?

Did you find what you were looking for? Do you have suggestions for how to make this page better? Tell our webmaster.

Distributed Denial of Service (DDoS) Attacks on Member Firms
June 19, 2015
FINRA Warns Firms of Hoax Emails That Purport to Be From Regulators
February 29, 2012
Verification of Emailed Instructions to Transmit or Withdraw Assets From Customer Accounts
January 26, 2012
Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers
July 22, 2005
Tool / Resource
FINRA has created a checklist to assist small firms in establishing a cybersecurity program.
May 23, 2016
Podcast
This is the 2nd podcast in a three-part series about FINRA’s 2016 Regulatory and Examination Priorities Letter. This episode focuses on technology management and cybersecurity. Hosts: Sarah Razaq and Steve Polansky.
March 21, 2016
Webinar
This one-hour free webinar tackles a top priority for small firms: building an effective cybersecurity program with limited resources.
November 18, 2015
Report / Study
The Report on Cybersecurity Practices focuses on the types of threats firms face, areas of vulnerabilities in their systems and firms' approaches to managing these threats.
February 3, 2015
Targeted Examination Letter
FINRA is conducting an assessment of firms’ approaches to managing cyber-security threats. FINRA is conducting this assessment in light of the critical role information technology (IT) plays in the securities industry, the increasing threat to firms’ IT systems from a variety of sources, and the potential harm to investors, firms, and the financial system as a whole that these threats pose.
January 1, 2014
Webinar
During this free, 45-minute webinar, panelists discuss top cybersecurity threats facing broker-dealer firms and how firms can protect themselves from these threats.

Investor Alert
FINRA is updating this Alert to tell you about some of the latest online identify theft scams targeting financial sector customers and to provide tips for spotting and avoiding these scams.
Investor Alert
In another variation of the identity theft tale, stock traders posing as employees of a made-up Latvian brokerage firm appear to have stolen personal information from individuals who thought they were applying for a job through the popular classifieds website, Craigslist (www.craigslist.org).
Investor Alert
Information technology (IT) plays a critical role in the securities industry. Unfortunately, cyber threats to the information and computer systems of brokerage firms are increasing, and with these threats comes the risk of potential harm to investors.
Investor Alert
FINRA has received an increasing number of reports involving investor funds being stolen by fraudsters who first gain access to the investor’s email account and then email instructions to the firm to transfer money out of the brokerage account. In addition to issuing a Regulatory Notice to firms, we are issuing this Alert to warn investors about the potential financial consequences of a compromised email account and to provide tips for safeguarding your assets.
Podcast
In the most serious cases, a compromised email account can lead not only to identity theft, but also to theft of your money. That’s why one of the most important first steps you should take if your email account has been hacked is to notify your brokerage firm and other financial institutions.
Podcast
Computer security experts point out that economic cyber-crime continues to surge. Phishing attacks have increased significantly since they were first discovered in 2005. These scams typically use bogus emails to lure you into giving the scammers your personal information. But you can arm yourself with knowledge. We have three tips to help protect you from cyber criminals looking to steal your money.
Investor Alert
Your brokerage firm has an obligation to safeguard your personal financial information. And every investor should take time to understand their firm’s cybersecurity procedures. But even the best procedures cannot prevent all instances of identity theft—especially if the vulnerability lies with you, the customer. Here are critical steps you can take to safeguard your financial accounts and help prevent identity theft.
Investor Alert
The Internet and, more recently, wireless technology have made it easy for investors to check brokerage account information and initiate investment transactions on the go. We are issuing this Alert to warn investors to take precautions to help ensure the security of their brokerage accounts. Not doing so puts your account information and investments at risk.
Investor Education
Use this checklist to safeguard your sensitive information and help keep identity thieves at bay.