Targeted Examination Letters
FINRA is conducting an assessment of firms' approaches to managing cyber-security threats. FINRA is conducting this assessment in light of the critical role information technology (IT) plays in the securities industry, the increasing threat to firms' IT systems from a variety of sources, and the potential harm to investors, firms, and the financial system as a whole that these threats pose.
FINRA has four broad goals in performing this assessment:
- to understand better the types of threats that firms face;
- to increase our understanding of firms' risk appetite, exposure and major areas of vulnerabilities in their IT systems;
- to understand better firms' approaches to managing these threats, including through risk assessment processes, IT protocols, application management practices and supervision; and
- as appropriate, to share observations and findings with firms.
Note: The assessment addresses a number of areas related to cybersecurity, including firms':
- approaches to information technology risk assessment;
- business continuity plans in case of a cyber-attack;
- organizational structures and reporting lines;
- processes for sharing and obtaining information about cybersecurity threats;
- understanding of concerns and threats faced by the industry;
- assessment of the impact of cyber-attacks on the firm over the past twelve months;
- approaches to handling distributed denial of service attacks;
- training programs;
- insurance coverage for cybersecurity-related events; and
- contractual arrangements with third-party service providers.