News Release

FINRA Issues Report on Cybersecurity Practices, Cybersecurity Investor Alert

For Release: 
Tuesday, February 3, 2015

George Smaragdis (202) 728-8988
Nancy Condon  (202) 728-8379
Michelle Ong  (202) 728-8464

WASHINGTON — The Financial Industry Regulatory Authority (FINRA) issued a new report on cybersecurity, which details practices that firms can tailor to their business model as they strengthen their cybersecurity efforts.

The Report on Cybersecurity Practices draws in part from the results of FINRA's recent targeted examination ("sweep") of a cross-section of firms. The sweep, conducted in 2014, focused on the types of threats firms face, areas of vulnerabilities in their systems and firms' approaches to managing these threats. FINRA also issued a new Investor Alert called Cybersecurity and Your Brokerage Firm, which encourages investors to understand their firm's cybersecurity policies. FINRA's new Investor Alert includes a series of questions investors can ask to help them better understand their firm's cybersecurity activities and policies, as well as practical advice to help investors safeguard their brokerage accounts and personal financial information.

"Broker-dealers face a variety of rapidly evolving cybersecurity threats, which require a well-designed and adaptable cybersecurity program," said Susan Axelrod, Executive Vice President for Regulatory Operations. "FINRA is keenly focused on cybersecurity, and firms must make responding to these threats a high priority. This report builds on the insights from our recent cybersecurity sweep and highlights a series of principles and effective practices that firms can adapt to their particular circumstances."

Broker-dealers are increasingly exposed to cybersecurity risks, and breaches at a broker-dealer could entail adverse implications for investors, firms, capital markets and even broader swaths of the financial system.

FINRA's new report reveals that according to both FINRA's 2014 sweep and a 2011 survey of firms, broker-dealers identified the top three threats as:

  • hackers penetrating firm systems;
  • insiders compromising firm or client data; and
  • operational risks.

The ranking of threats varied by firm and by business model. While online brokerage firms and retail brokerages are more likely to list hackers as their top-priority risk, firms that engage in algorithmic trading were more likely to consider insider risks potentially more damaging. Large investment banks or broker-dealers typically ranked risks from nation states or hacktivist groups more highly than other firms.

Report on Cybersecurity Practices focuses on select cybersecurity topics that, together, serve as a resource for firms developing or advancing their cybersecurity programs, including:

  • cybersecurity governance and risk management;
  • cybersecurity risk assessment;
  • technical controls;
  • incident response planning;
  • vendor management;
  • staff training;
  • cyber intelligence and information sharing; and
  • cyber insurance.

While many of the practices discussed in FINRA's report are geared to large firms with sophisticated management structures, FINRA believes small firms can benefit from this report as well.

FINRA, the Financial Industry Regulatory Authority, is the largest independent regulator for all securities firms doing business in the United States. FINRA is dedicated to investor protection and market integrity through effective and efficient regulation and complementary compliance and technology-based services. FINRA touches virtually every aspect of the securities business – from registering and educating all industry participants to examining securities firms, writing rules, enforcing those rules and the federal securities laws, and informing and educating the investing public. In addition, FINRA provides surveillance and other regulatory services for equities and options markets, as well as trade reporting and other industry utilities. FINRA also administers the largest dispute resolution forum for investors and firms. For more information, please visit