FINRA Cybersecurity Alert – SitusAMC Security Incident

Impact: All Firms

FINRA member firms should be aware of a security incident involving SitusAMC, a technology services company that provides solutions to commercial and real estate banks and financiers, many of which serve as vendors to member firms. Given the third- and fourth-party risk that this incident poses to member firms, FINRA recommends sharing this Cyber Alert with appropriate information technology and information security personnel as well as with any third-party vendors that may also leverage the services of SitusAMC.

Summary

On Nov. 12, 2025, SitusAMC confirmed threat actors breached its systems and accessed sensitive client data, exposing corporate information, accounting records and legal agreements tied to major financial institutions—data that could be abused to target member firm customers through the firms’ fourth-party relationship to SitusAMC via its banking arrangement(s). The breach potentially impacted major U.S. financial banking institutions, along with pension funds and state governments that rely on SitusAMC's services.

Possible exposures include:

• unauthorized access to SitusAMC's systems, enabling access to corporate data;
• theft of accounting records and legal agreements associated with banking customers' relationships with SitusAMC;
• exposure of potentially billions of loan-related documents, given SitusAMC processes such documents annually; and
• potential compromise of extensive personal information, including Social Security numbers, financial account details, and employment records contained in loan applications.

The main goal appeared to be large-scale data theft—leveraging stolen corporate information, accounting records, and legal agreements for potential follow-on attacks or extortion—and not the deployment of malware.

SitusAMC has stated that the incident is "now contained" with all systems remaining operational, and that they are working to identify and notify impacted clients. Member firms can monitor the incident for any updates on SitusAMC’s website.

Recommendation to Protect Your Firm

To protect against this vulnerability, FINRA recommends member firms discuss with their critical banking vendors if they have been impacted by the incident, and if so, determine if the firm’s data are potentially impacted and what steps the vendor has taken to remediate and contain the incident.¹

FINRA encourages member firms that identify data breaches or attempted data breaches to contact your Risk Monitoring Analyst and report them to:

• FINRA using the Regulatory Tip Form found on FINRA.org;
• the SEC using the Tips, Complaints, and Referrals form or by calling (202) 551-4790; and
• the FBI using its Internet Crime Complaint Center or by calling 1-800-CALLFBI (1-800-225-5324).

Additionally, both the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) urge organizations to promptly report cyber incidents to a local FBI Field Office or the FBI Internet Crime Complaint Center (IC3) at IC3.gov, and to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

Questions related to this Alert or other cybersecurity-related topics can be emailed to the FINRA Cyber and Analytics Unit (CAU).

Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some information may not be relevant due to certain firms’ business models, sizes or practices.

If you would like to add or change who receives this email, please update your firm’s Chief Information Security Officer (CISO), Chief Compliance Officer (CCO), Chief Risk Officer (CRO) and/or Regulatory Inquiries contact in FINRA Gateway.

¹This recommendation follows one category of the “DETECT (DE)” core function of the National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework (CSF) 2.0: “DE.CM-06: External service provider activities and services are monitored to find potentially adverse events.” The NIST CSF 2.0 provides guidance to industry, government agencies and other organizations to help them better understand, assess, prioritize and communicate their cybersecurity efforts and manage cybersecurity risks.