Cybersecurity Advisory - FINRA Highlights Effective Practices for Responding to a Cyber Incident
Impact: All Firms
The prevalence of cybersecurity incidents continues to increase at FINRA member firms. As a result of the continued proliferation of cybercrime, the Cyber and Analytics Unit (CAU) within FINRA’s Member Supervision program is issuing this advisory to highlight effective practices and considerations for member firms when responding to cyber incidents, including the benefits of voluntarily reporting information related to the incident to various entities.
Cyber Incident Preparation and Response
FINRA observed that the following effective practices may help firms prepare for and respond to a cyber related incident:
- Develop a written Incident Response Plan (IRP) that at a minimum:
- Identifies who will lead and who will participate on the incident response team including internal staff and third-party providers.
- Includes contact information for all response team members, senior leaders, critical suppliers and vendors, and law enforcement and regulatory contacts.
- Describes steps to follow to analyze, contain, remove, and recover from common types of cyber incidents.
- Outlines a communication plan for providing information for internal staff including executive leadership and external entities including customers.
- Is reviewed and updated on a regular basis, at least quarterly.
- Educate firm employees on their responsibilities related to the IRP through training including conducting simulation or tabletop exercises.
- When possible, meet with law enforcement representatives and regulators prior to a cyber incident to establish a relationship.
- Test the IRP prior to the occurrence of a cyber incident to explore the efficacy of the firm’s response program.
When a cyber incident occurs, the following effective practices may be helpful in guiding a firm’s response efforts:
- Assign someone to lead the firm’s response to the incident and to ensure the steps in the firm’s IRP are followed.
- Provide mandatory and voluntary notifications to the firm’s regulators and law enforcement agencies (see the next section of this alert).
- These notifications may need to be made outside of the firm’s compromised systems if they are made prior to the restoration of firm systems.
- Maintain evidence collected and documentation created as part of any internal investigations into the incident.
After a cyber incident occurs, the following effective practices may help to prevent the reoccurrence of a similar cyber incident:
- Conduct a post-incident review meeting to discuss what occurred, the firm’s response, and the lessons learned.
- Review the IRP and make any required changes based on lessons learned.
- Share information internally about the cyber incident, including what occurred and why, to foster a heightened awareness of cyber related risk and threat actor tactics.
Reporting Cyber Incidents
When a cyber incident occurs, depending on the type and details of the incident, firms may have mandatory reporting requirements including filing notices with federal and state regulators. The firm’s IRP should include internal procedures to ensure appropriate firm personnel review the incident and determine what, if any, mandatory notifications are required.
In addition, firms should also consider providing voluntary notifications of a cyber incident to various entities across the public and private sector. These actions may provide a variety of benefits including the following:
- An increased probability of financial asset recovery (e.g., through the FBI’s Recovery Asset Team (RAT)1 and Financial Fraud Kill Chain (FFKC)2).
- A decreased risk of exposing third parties (e.g., vendors) to the incident.
- An improved response time in restoring operations to normal as other entities may have additional information to assist the firm in their recovery efforts.
By voluntarily reporting cyber incidents to other agencies and organizations, it can enhance the intelligence and assistance that firms receive expands. For example, law enforcement agencies may aid the firm as part of a criminal investigation of the perpetrator of the incident. Additionally, firms may receive supplemental threat intelligence and guidance after voluntarily reporting a cyber incident while also contributing to the broader industry or community response and recovery efforts.
In summary, there are several benefits associated with the voluntary reporting of cyber incidents by FINRA member firms including:
- Strengthened protection of critical infrastructure,
- Improved threat awareness across the financial sector, and
- An enhanced and coordinated industry or community response for large-scale cyber incidents.
An example of voluntary reporting of cyber incidents would be to provide a report to the Cybersecurity and Infrastructure Security Agency (CISA) Central resulting in the federal government of the United States being better positioned to respond to cyber incidents across governmental agencies and private sector entities. A firm’s voluntary report may ultimately be aggregated and provided to the National Cyber Response Coordination Group, which serves as the federal government’s principal interagency mechanism to coordinate response and recovery efforts across government agencies. If a large-scale cyber incident were to occur, a Cyber Unified Coordination Group (UCG)3 could be activated. Activation of a Cyber UCG allows for a whole-of-government, risk-based response to protect lives and critical infrastructure and prevent further spread of the cyber threat across governmental agencies and private sector entities.
Reporting Resources and Contact Information
Given the extensive benefits associated with reporting cyber incidents, FINRA is providing member firms with a non-exhaustive list of regulatory, law enforcement, and US Government resources, including entities where firms may have either a mandatory reporting obligation or may voluntarily file a report.
- Federal Bureau of Investigation (FBI)
- United States Secret Service (USSS)
- The USSS investigates complex cyber-enabled financial crimes.
- Firms are encouraged to report cyber incidents to local USSS Field Offices.
- United States Treasury Department Financial Crimes Enforcement Network (FinCEN)
- North American Securities Administrators Association (NASAA)
- NASAA represents state and provincial securities regulators in the United States, Canada and Mexico.
- Firms are encouraged to contact state and provincial securities regulators when appropriate (e.g., complying with state data breach notification laws).
- State Attorneys General Offices
- FINRA member firms may also have a regulatory obligation to notify applicable state attorneys general when a data breach occurs.
Cyber risk focused associations and organizations may provide firms with the opportunity to voluntarily report and discuss cyber related events and to receive additional threat intelligence and guidance that is not otherwise available. Many of the below organizations coordinate responses across members when broad financial services industry or nation-wide cybersecurity events occur.
- InfraGard is a non-profit organization serving as a public-private partnership between U.S. businesses and the FBI.
- Firms can join the InfraGard Application Waitlist.
- Financial Services Sector Coordinating Council (FSSCC)
- FSSCC is an industry-led non-profit organization that coordinates critical infrastructure and homeland security activities within the financial services industry.
- Firms can learn more by visiting the FSSCC website.
- Financial Services Information Sharing and Analysis Center (FS-ISAC)
- FS-ISAC is a member-driven, not-for-profit that advances cybersecurity and resilience in the global financial system.
- Firms can learn more by visiting the FS-ISAC website.
- Domestic Security Alliance Council (DSAC)
- DSAC is a public-private partnership by the FBI and the Department of Homeland Security that enhances communication and promotes the timely and effective exchange of security and intelligence information between the federal government and the private sector.
- DSAC is a corporate member program. Member companies are for-profit and must generate a minimum of $1 billion in annual revenue, have a chief security officer and security team based in the United States, and show a nexus to U.S. national and economic security.
- Firms can learn more by visiting the DSAC website.
Questions or feedback related to this advisory or other cybersecurity-related topics can be sent to the CAU at [email protected]. Regulatory tips related to cybersecurity should also be filed with FINRA.
Note: This Advisory does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Advisory in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some items may not be relevant due to certain firms’ business models, sizes, or practices. The citation or listing of any organization should not be interpreted as endorsements of the organizations.
1. The Internet Crime Complaint Center's RAT was established in February 2018 to streamline communication with financial institutions and assist FBI field offices with the freezing of funds for victims who made transfers to domestic accounts under fraudulent pretenses.
2. The FBI offers a FFKC process to help recover large international wire transfers stolen from the United States. The FFKC is intended to be utilized as another potential avenue for U.S. financial institutions to get victim funds returned.
3. A Cyber UCG is a task force construct that was established in 2021 and comprised of the FBI, CISA, and the Office of the Director of National Intelligence (ODNI) with support from the National Security Agency (NSA). The UCG is intended to unify the individual efforts of these agencies and to coordinate a whole-of-government response to significant cyber incidents, including investigations and remediation.