Targeted Examination Letters

January 2014

Re: Cybersecurity

 

FINRA is conducting an assessment of firms' approaches to managing cyber-security threats. FINRA is conducting this assessment in light of the critical role information technology (IT) plays in the securities industry, the increasing threat to firms' IT systems from a variety of sources, and the potential harm to investors, firms, and the financial system as a whole that these threats pose.

 

FINRA has four broad goals in performing this assessment:

  1. to understand better the types of threats that firms face;
  2. to increase our understanding of firms' risk appetite, exposure and major areas of vulnerabilities in their IT systems;
  3. to understand better firms' approaches to managing these threats, including through risk assessment processes, IT protocols, application management practices and supervision; and
  4. as appropriate, to share observations and findings with firms.
     

 

Note: The assessment addresses a number of areas related to cybersecurity, including firms':

  • approaches to information technology risk assessment;
  • business continuity plans in case of a cyber-attack;
  • organizational structures and reporting lines;
  • processes for sharing and obtaining information about cybersecurity threats;
  • understanding of concerns and threats faced by the industry;
  • assessment of the impact of cyber-attacks on the firm over the past twelve months;
  • approaches to handling distributed denial of service attacks;
  • training programs;
  • insurance coverage for cybersecurity-related events; and
  • contractual arrangements with third-party service providers.