Given the evolving nature, increasing frequency, and sophistication of cybersecurity attacks – as well as the potential for harm to investors, firms, and the markets – cybersecurity practices are a key focus for FINRA.
FINRA also reviews a firm’s ability to protect the confidentiality, integrity and availability of sensitive customer information. This includes reviewing each firm’s compliance with SEC regulations, including:
- Regulation S-P (17 CFR §248.30), which requires firms to adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access
- Regulation S-ID (17 CFR §248.201-202), which outlines a firm's duties regarding the detection, prevention, and mitigation of identity theft
- The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)), which requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format
FINRA reviews firms' approaches to cybersecurity risk management, including: technology governance, system change management, risk assessments, technical controls, incident response, vendor management, data loss prevention, and staff training.
On this page
- Small Firm Cybersecurity Checklist
- Report on Selected Cybersecurity Practices – 2018
- Report on Cybersecurity Practices (2015)
- In Case of a Disruptive Attack or a Breach
- Vendors and Consultants
- Non-FINRA Resources
- Contact OGC
FINRA has created a Checklist for a Small Firm's Cybersecurity Program (Excel 114 KB) to assist small firms in establishing a cybersecurity program to:
- identify and assess cybersecurity threats, protect assets from cyber intrusions
- detect when their systems and assets have been compromised
- plan for the response when a compromise occurs
- implement a plan to recover lost, stolen or unavailable assets
This checklist is primarily derived from the National Institute of Standards and Technology (NIST) Cybersecurity Framework and FINRA’s Report on Cybersecurity Practices.
Use of this checklist does not create a "safe harbor" with respect to FINRA rules, federal or state securities laws, or other applicable federal or state regulatory requirements.
Report on Selected Cybersecurity Practices – 2018 is a detailed review of effective information-security controls at securities firms. The report is designed to help broker-dealers – including small firms – further develop their cybersecurity programs. The report addresses areas that firms tend to find most challenging: cybersecurity controls in branch offices; methods of limiting phishing attacks; identifying and mitigating insider threats; elements of a strong penetration-testing program; and establishing and maintaining controls on mobile devices.
Report on Cybersecurity Practices (2015) highlights effective practices that firms should consider to strengthen their cybersecurity programs. The observations and practices in the report are based on a variety of sources, including a sweep we conducted in 2014 of firms of varying sizes and business models, a 2011 survey of firms and interviews with other organizations involved in cybersecurity. As we note in the report, there is no one-size-fits-all approach to a cybersecurity infrastructure. Rather, the risk management-based approach that we discuss in the report enables firms to tailor their program to their particular circumstances.
Firms should get to know their local Federal Bureau of Investigation (FBI) and proactively plan for a cybersecurity attack or breach.
In case your firm is the victim of a disruptive attack or breach, for instance your data has been accessed or your customers cannot do business, you should immediately report the incident to your:
In an effort to provide enhanced compliance tools and resources, FINRA has developed the Compliance Vendor Directory (CVD). The FINRA CVD is designed to give firms more options in locating vendors that provide compliance-related offerings, including cybersecurity vendors and services.
Use of any products, services and/or materials offered by these vendors does not ensure compliance with regulatory requirements or create a safe harbor from regulatory responsibility. Firms should undertake their own assessments to determine whether the products or services meet their technology and security requirements. FINRA does not endorse these vendors or products, services or materials they offer and firms are not obligated to use them.
FINRA has assembled a list of non-FINRA cybersecurity resources that firms may use to manage their cybersecurity risk. These resources include:
- news and analysis
- effective practices and guidance
- free diagnostic tools
Use of any of these resources does not ensure compliance with FINRA's cybersecurity rules and policies. FINRA does not endorse or guarantee any of the resources listed within.
FINRA's Office of General Counsel (OGC) staff provides broker-dealers, attorneys, registered representatives, investors and other interested parties with interpretative guidance relating to FINRA’s rules. Please see FINRA OGC Interpretative Guidance for more information.
OGC staff contact:
1735 K Street, NW
Washington, DC 20006
- FINRA Rule 3110
- FINRA Rule 3120
Supervisory Control System
- FINRA Rule 4530(b)
- FINRA Supplementary Material 4530.01
Reporting of Firms" Conclusions of Violations
- 17 CFR §248.201-202
Regulation S-ID: Identity Theft Red Flags
- 17 CFR §248.1-100
Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information
- 17 CFR §240.17a-4(f)
The Securities Exchange Act of 1933 (17 CFR §240.17a-4(f)) requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format.
FINRA has assembled a list of resources that firms may use to manage their cybersecurity risk. These resources include:
Use of any of these resources does not ensure compliance with FINRA’s cybersecurity rules and policies. FINRA does not endorse or guarantee any of the resources listed below.