Skip to main content

October 16, 2019

Observations on Cybersecurity

While many firms have made significant improvements in their cybersecurity programs, cybersecurity attacks continue to increase in both number and level of sophistication. FINRA notes that such attacks often take advantage of and highlight weaknesses in a firm’s cybersecurity program. The observations and effective practices we share below can help firms strengthen their cybersecurity programs and may support compliance with the SEC’s Regulation S-P, which requires firms to have policies and procedures addressing the protection of customer records and information.9

We encourage firms to strengthen their cybersecurity programs by taking advantage of FINRA publications and other resources identified below. FINRA recognizes that there is no one-size-fits-all approach to cybersecurity, and reminds firms to evaluate each of the controls described in this report and other FINRA resources in the context of their business model and risk profile.

Highlighted below are effective practices some firms have implemented to strengthen their cybersecurity risk-management programs.

  • Branch Controls – Firms maintained branch-level written cybersecurity policies to protect confidential data. In addition, they implemented procedures to verify that branch office controls were implemented and functioning adequately, either via automated monitoring tools or during in-person branch inspections.
  • Documented Policies on Vendor and Third-Party Management – Firms using third-party vendors that provide critical firm services or handle sensitive client information adopted, implemented, and documented formal policies and procedures to manage the lifecycle of the firm’s engagement with the vendor (i.e., from onboarding, to ongoing monitoring, through off-boarding, including defining how vendors will dispose of sensitive client information).
  • Incident Response Planning – Firms established and regularly tested written formal incident response plans that outlined procedures they would follow when responding to cybersecurity and information security incidents. Firms also developed procedures relating to incident response plans, which included a mechanism to appropriately identify, classify, prioritize, track and close cybersecurity-related incidents.
  • Data Protection Controls – Firms encrypted all confidential data, including sensitive customer information and firm information, whether stored internally or at vendors’ locations.
  • System Patching – Firms adopted procedures to implement timely application of system security patches to critical firm resources (e.g., servers, network routers, desktops, laptops and software systems) to protect sensitive client or firm information.
  • Access Controls – Firms implemented or maintained policies and procedures to grant system and data access only when required (often referred to as “Policy of Least Privilege”) and removed such access when it was no longer needed (such as when individuals departed or changed roles at the firm). In addition, firms tracked (and monitored the activities of) individuals granted administrator access to data or systems. Further, firms implemented multi-factor or two-factor authentication controls for registered representatives, employees, vendors and contractors accessing firm systems and data from outside the organization.
  • Management of Asset Inventory – Some firms created and kept current an inventory of critical information technology assets—including hardware, software and data—in home and branch offices. These inventories also included legacy assets that vendors no longer supported, as well as corresponding cybersecurity controls to protect those assets.
  • Data Loss Prevention Controls – Certain firms implemented data loss prevention controls to protect a broad range of sensitive customer information in addition to Social Security numbers, such as other account profile information (e.g., account numbers, dates of birth, bank information and driver’s license numbers).
  • Training and Awareness – Firms provided robust cybersecurity training for registered representatives, personnel, third-party providers and consultants. This training addressed key topics relevant to individuals’ roles and responsibilities (e.g., training on the various types of phishing emails that might be directed towards registered representatives’ associates or home office staff in the human resources or finance departments, or training on secure software development practices for developers). Some firms determined the appropriate frequency of such training based on the cybersecurity risk exposure associated with the firm, as well as individuals’ roles and responsibilities.
  • Change Management Processes – Some firms implemented change management procedures to document, review, prioritize, test, approve, and manage hardware and software changes in order to protect sensitive information and firm services.

Additional Resources


9 This obligation includes protection against any anticipated threats or hazards to the security or integrity of customer records and information, as well as unauthorized access to or use of such records or information. Also, the rule requires firms to provide initial and annual privacy notices to customers describing information sharing policies and informing customers of their rights.