Cybersecurity and Technology Management

Regulatory Obligations and Related Considerations

Regulatory Obligations

Several SEC and FINRA rules directly relate to cybersecurity. Rule 30 of SEC Regulation S-P requires member firms to have written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information. Regulation S-ID (Identity Theft Red Flags) requires member firms to develop and implement a written program reasonably designed to detect, prevent and mitigate identity theft in connection with the opening or maintenance of "covered accounts."¹

FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) also applies to denials of service and other interruptions to member firms’ operations. In addition to member firms’ compliance with SEC regulations, FINRA reminds firms that cybersecurity remains one of the principal operational risks facing broker-dealers, and expects firms to develop and maintain reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations.

Cybersecurity incidents, such as account takeovers, ransomware or network intrusions, and any related exposure of customer information or fraudulent financial activity can expose member firms to financial losses, reputational risks and operational failures that may compromise firms’ ability to comply with a range of rules and regulations, including FINRA Rules 4370, 3110 (Supervision) and 3120 (Supervisory Control System), as well as Exchange Act Rules 17a-3 and 17a-4, Rule 30 of Regulation S-P and Regulation S-ID. Such incidents could also implicate FINRA Rule 4530(b) (Reporting Requirements), which requires members to promptly report to FINRA when it has concluded (or reasonably should have concluded) that it or its associated person has violated any securities-, insurance-, commodities-, financial- or investment-related laws, rules, regulations or standards of conduct of any domestic or foreign regulatory body or self-regulatory organization, where such violative conduct meet the standards in FINRA Rule 4530.01 (Reporting of Firms' Conclusions of Violations).

New SEC Cybersecurity Rules

In July 2023, the SEC adopted rules requiring public reporting companies to disclose:

material aspects of cybersecurity incidents they experience (e.g., nature, scope, timing, material impact) within four business days after the firm determines the incident is material; and
material information regarding their cybersecurity risk management, strategy and governance on an annual basis.

In addition, in March 2023, the SEC proposed a cybersecurity risk management rule that, if adopted, would require member firms and other market participants to address cybersecurity risks, including by:

establishing, maintaining and enforcing written policies and procedures that are reasonably designed to address cybersecurity risks; and
providing the SEC with immediate written electronic notice of significant cybersecurity incidents.

Member firms that are “covered entities” would further be required to:

include minimum specified elements in their written cybersecurity policies and procedures;
report to the SEC and update information about significant cybersecurity incidents; and
publicly disclose summary descriptions of their cybersecurity risks and the significant cybersecurity incidents they experienced during the current or previous calendar years.

For additional guidance, FINRA recommends:

Related Considerations

Technology Management

Complexity of Business

Does your firm have supervisory controls for designing, implementing and monitoring the health and performance of technology solutions?
Has your firm established supervisory control reviews and metrics to measure control effectiveness?

Vendor Management

What process has your firm established to assess the risks associated with third-party vendors during the initial onboarding and on a regular basis thereafter? In the event there is a report of a security breach at a vendor, can your firm identify all components and services third parties provide?
Has your firm established supervisory controls for technology vendors’ business impact, including assessments and contingency plans?
Has your firm established supervisory controls to manage vendor offboarding, ensuring that former vendors’ access to systems, data and corporate infrastructure is revoked?

Change Management

Has your firm established supervisory controls to manage technology changes that include change risk assessments, rollback plans, change validations and change approval processes?
What type of testing does your firm perform before, and after, moving system and application changes into a production environment?
Does your firm have repeatable processes for root cause analysis, incident and problem management tracking and metrics reporting?

System Availability and Business Continuity

Has your firm established capabilities to prevent technology disruptions and respond to technology incidents, including assessing customer impact and remediation?
What controls has your firm implemented to mitigate system capacity performance and integrity issues that may undermine its ability to conduct business and operations, monitor risk or report key information?
How does your firm determine whether to maintain, refresh or retire its end-of-life products?

Cybersecurity

Data Management

What steps has your firm taken to prevent a cybersecurity intrusion, such as a ransomware attack? In the event your firm experiences an intrusion, how will it restore critical data from backups, as well as identify and recover customer information that was exfiltrated?
How does your firm protect sensitive customer information or confidential firm data from being exposed to, or copied by, nonauthorized individuals (including associated persons or “insiders” of your firm) or threat actors, including blocking unauthorized copying and monitoring sensitive data in outbound emails?

Cybersecurity Events

What steps has your firm taken to prevent a cybersecurity intrusion, such as a business email compromise, phishing or ransomware attack?
In the event your firm experiences an intrusion, how will it restore critical data from backups, as well as identify and recover customer information that was exfiltrated?
What are your firm’s procedures to communicate cybersecurity events to Anti-Money Laundering (AML) or compliance staff related to meeting regulatory obligations, such as the filing the filing of Suspicious Activity Reports (SARs) and reviewing and remediating potentially impacted customer accounts?
Does your firm maintain an Incident Response Plan (IRP) that includes guidance or playbooks for common cybersecurity incidents (e.g., data breaches, ransomware infections, account takeovers) and conduct a simulation exercise to practice the IRP? Does the IRP also include steps for responding to a cybersecurity incident that occurs at a critical vendor?
How does your firm verify the identity of an individual when creating a new account or accessing an existing account? What controls are in place for higher-risk account changes (e.g., multifactor authentication (MFA) or commensurate controls for linked bank account changes, third-party wires, account email address changes)?
How does your firm monitor for imposter websites that may be impersonating your firm or your registered representatives? How does your firm address imposter websites once they are identified?
What kind of security training does your firm conduct, such as email best practices and phishing? Does your firm provide training to all staff and not just to registered persons? Is the training tailored to the staff’s role and level of access to systems?

Increased Risk of Cybersecurity Incidents

FINRA has observed an increase in the variety, frequency and sophistication of certain cybersecurity incidents, including:

Imposter Websites – phishing campaigns involving fraudulent emails claiming to be from FINRA;
Insider Threats – incidents where firm employees, advertently or inadvertently, use their access to firms’ systems and data to cause harm to firms, their investors or both;
Ransomware – cyberattacks where bad actors gain unauthorized access to firm systems, encrypting or otherwise accessing sensitive firm data or customer information, and then holding that hijacked data for ransom; and
Cybersecurity Events at Critical Vendors – incidents experienced by vendors that provide information technology services to firms, resulting in harm to firms and their investors.²

Firms can find guidance related to identifying, preventing and mitigating these cybersecurity incidents in the FINRA Cybersecurity and Industry Risks and Threats – Resources for Member Firms Topics Pages, which include:

Cybersecurity Alerts and Advisories that, for example, warn firms about imposter websites and highlight CISA Advisories concerning ransomware threats;
Regulatory Notices 23-06 (FINRA Shares Effective Practices to Address Risks of Fraudulent Transfers of Accounts Through ACATS) and 22-21 (FINRA Alerts Firms to Recent Trend in Fraudulent Transfers of Accounts Through ACATS); and
the Insider Threats – Effective Controls and Practices guidance resources.

Branch Controls

How does your firm identify and address branch-specific cybersecurity risks, including those associated with branch-hosted email or other software systems and servers?
If your firm permits registered representatives to use personal technology (e.g., devices, applications, servers) for business, how does your firm ensure its foundational security controls are implemented (e.g., security patches, anti-virus software)?
Does your firm maintain an inventory of all technology assets branch office staff use to access your firm’s systems or data, including personal computers and servers?
How does your firm review branch office security controls to ensure compliance with required standards established in your firm’s written policies and procedures?
Do branch office personnel know how to respond to cybersecurity incidents in the branch, including when to report the incident to the home office?

Observations and Effective Practices

Observations

Technology Management

WSPs: Not updating WSPs to reflect the firm’s current cybersecurity practices; and not enforcing the firm’s WSPs related to cybersecurity.
Branch Office Security Controls: Not establishing security controls that branch offices must follow when they maintain their own email systems or other application systems or servers; and failing to detect and respond when a branch office is not compliant with established security controls for maintaining a branch-hosted email or application server.
Third-Party Vendor Supply Chain Management: Not maintaining a list of all third-party services, or hardware and software components, the vendor provides and which the firm’s technology infrastructure uses.
Digital Transformation and the Adoption of Cloud: Inadequate planning and design when adopting the use of cloud-based systems or technology.

Cybersecurity

Account Access Authentication: Not requiring MFA for login access to the firm’s operational, email and registered representatives’ systems for employees, contractors and customers, and not using tools to identify potential unauthorized access to the firm’s internal and customer-facing systems.
New Account Opening Identify Validation: Ineffective processes and tools for validating the identity of customers who are opening new accounts or detecting suspicious activity associated with new account fraud (e.g., opening of multiple new accounts opened from the same internet protocol (IP) address, device ID or email address).
Data Loss Prevention (DLP): Not monitoring network activity to identify unauthorized copying or deletion of customer or firm data, and not monitoring outbound emails to identify sensitive customer data in text or attachments.
Log Management Practices: Not sufficiently logging or retaining data related to business or technical activities to effectively assist with the forensic analysis of cybersecurity incidents (e.g., determining the entry point and scope of an attack).
Identify Theft Prevention Program (ITPP): Implementing a generic ITPP that is not appropriate for the firm’s size, complexity, and the nature and scope of the firm’s activities, and not periodically updating the firm’s ITPP to reflect changes in identify theft risks.
SAR Filings: Not having reasonably designed procedures for investigating cybersecurity events and considering whether a SAR filing is required, consistent with applicable guidance from the Financial Crimes Enforcement Network (FinCEN).

Effective Practices

Technology Management

Data Backups: Completing regular backups of critical data and systems, and ensuring the backup copies are encrypted and stored off-network; and regularly testing the recovery of data from backups to ensure information can be restored from backup tapes.
Vendor Management: Maintaining a list of all third-party-provided services, systems and software components that can be leveraged in the event of a cybersecurity incident at one of the firm’s third-party vendors.
Branch Office Procedures: Limiting the use of branch-managed servers for email or other applications (e.g., customer relationship management, reporting) and, if branch-managed servers are permitted, ensuring adequate security controls are maintained.
Risk Assessments: Regularly assessing the firm’s cybersecurity risk profile based on changes in the firm’s size and business model and newly identified threats; and regularly updating the firm’s cybersecurity program and AML program based on those assessments.
Secure Configurations: Confirming that desktops, laptops and servers are using current software systems with secure settings that expose only required services to reduce system vulnerabilities; and implementing timely application of systems security patches.
Log Management: Capturing log data from a broad set of sources and retaining it for a sufficient amount of time (e.g., a minimum of 24 months).
IT Resiliency: Implementing and testing firm controls to ensure established acceptable service levels are maintained during disruption of critical business operations relying on IT systems.

Cybersecurity

Account Intrusion: Reviewing potentially violative activity when identified to determine whether further action (e.g., trading and fund restrictions on the accounts) is appropriate.
Imposter Domains: Monitoring the internet for any new imposter domains that pretend to represent the firm or a registered representative; and maintaining written procedures for responding to reports of imposter domains that include reporting the domains and notifying impacted customers or business partners.
Outbound Email Monitoring: Implementing systems that scan outbound email text and attachments to identify and potentially block sensitive customer information or confidential firm data.
Potential Intrusion Report Card: Leveraging the FINRA Cross Market Options Supervision: Potential Intrusion Report Card, which provides lists of trades related to potentially fraudulent options transactions facilitated by account takeover schemes.
Training and Security Awareness: Periodically training staff to identify and thwart tactics, techniques and procedures (TTPs) associated with people-centric attack vectors (e.g., phishing attacks, social engineering).
Identity Verification: For firms that allow new accounts to be opened online, developing a comprehensive process for validating the identity of new clients; and using third parties that can verify identities and provide a score related to the level of risk associated with a new account (to help firms determine if additional verification is required).

Additional Resources

FINRA
- Cybersecurity Key Topics Page, including:
  - Core Cybersecurity Threats and Effective Controls for Small Firms (May 5, 2022)
  - Cross-Market Options Supervision: Potential Intrusions Report Card
  - Customer Information Protection Key Topics Page
  - Firm Checklist for Compromised Accounts (September 5, 2023)
  - List of Non-FINRA Cybersecurity Resources
  - Report on Selected Cybersecurity Practices – 2018
  - Report on Cybersecurity Practices – 2015
  - Small Firm Cybersecurity Checklist (September 7, 2023)
- FINRA Cybersecurity Advisory – FINRA Highlights Effective Practices for Responding to a Cyber Incident (December 12, 2023)
- Quantum Computing and the Implications for the Securities Industry (October 30, 2023)
- FINRA Cybersecurity Advisory – SEC Rules on Cybersecurity Risk Management Strategy, Governance, and Incident Disclosure by Public Companies (September 21, 2023)
- Industry Risks and Threats – Resources for Member Firms
- Regulatory Notices
  - Regulatory Notice 22-29 (FINRA Alerts Firms to Increased Ransomware Risks)
  - Regulatory Notice 22-18 (FINRA Reminds Firms of Their Obligation to Supervise for Digital Signature Forgery and Falsification)
  - Regulatory Notice 21-42 (FINRA Alerts Firms to “Log4Shell” Vulnerability in Apache Log4j Software)
  - Regulatory Notice 21-30 (FINRA Alerts Firms to a Phishing Email Campaign Using Multiple Imposter FINRA Domain Names)
  - Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors)
  - Regulatory Notice 21-18 (FINRA Shares Practices Firms Use to Protect Customers From Online Account Takeover Attempts)
  - Regulatory Notice 20-32 (FINRA Reminds Firms to Be Aware of Fraudulent Options Trading in Connection With Potential Account Takeovers and New Account Fraud)
  - Regulatory Notice 20-30 (Fraudsters Using Registered Representatives Names to Establish Imposter Websites)
  - Regulatory Notice 20-13 (FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19) Pandemic)
  - Regulatory Notice 15-09 (Guidance on Effective Supervision and Control Practices for Firms Engaging in Algorithmic Trading Strategies)
SEC
- Proposed Amendments to Cybersecurity Rules (March 15, 2023)

Emerging Risk: Artificial Intelligence

Artificial Intelligence (AI) technology is rapidly evolving, most recently with the emergence of generative AI tools. As in other industries, broker-dealers and other financial services industry firms are exploring and deploying these technologies—either with in-house solutions or through third parties—to create operational efficiencies and better serve their customers. While these tools may present promising opportunities, their development has been marked by concerns about accuracy, privacy, bias and intellectual property, among others. As member firms continue to consider the use of new technologies, including generative AI tools, they should be mindful of how these technologies may implicate their regulatory obligations.
The use of AI tools could implicate virtually every aspect of a member firm’s regulatory obligations, and firms should consider these broad implications before deploying such technologies. Member firms may consider paying particular focus to the following areas when considering their use of AI:
- Anti-Money Laundering
- Books and Records
- Business Continuity
- Communications With the Public
- Customer Information Protection
- Cybersecurity
- Model Risk Management (including testing, data integrity and governance, and explainability)
- Research
- SEC Regulation Best Interest
- Supervision
- Vendor Management
In addition to existing rules and regulatory obligations, member firms should be mindful that the regulatory landscape may change as this area continues to develop.
For additional guidance, member firms may also consider:
- FINRA’s FinTech Key Topics Page
- 2023 FINRA Annual Conference: Leveraging Regulatory Technology For Your Firm ³
- FINRA Report: Artificial Intelligence (AI) in the Securities Industry (June 2020)
- FINRA Unscripted Podcast: AI Virtual Conference: Industry Views on the State of Artificial Intelligence (November 24, 2020)
- National Institute of Standards and Technology (NIST): Artificial Intelligence Risk Management Framework (AI RMF 1.0) (January 2023)

Previous:
Financial Crimes

Up:
Cybersecurity and Technology Management

Next:
Anti-Money Laundering, Fraud and Sanctions

1 See 17 CFR 248.201(b)(3), which defines “covered account” as:

(i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a brokerage account with a broker-dealer or an account maintained by a mutual fund (or its agent) that permits wire transfers or other payments to third parties; and

(ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

2 See CISA Advisory #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability for an example of a cybersecurity event that negatively impacted critical vendors.

3 Session recordings from the 2023 FINRA Annual Conference are available for viewing by FINRA member firms and CRCP graduates. Please see FINRA’s Conferences and Events page for a list of recorded sessions, and directions for accessing them.