Cybersecurity and Cyber-Enabled Fraud
Regulatory Obligations
Cybersecurity incidents may expose firms to loss of customer information, financial losses, reputational risks and operational failures. The failure to have a well-designed cybersecurity program could result in compliance shortfalls. Rules and regulations that may be implicated in the cybersecurity space include SEC Regulations S-P (Privacy of Consumer Financial Information and Safeguarding Personal Information) and S-ID (Identity Theft Red Flags), as well as FINRA Rules 3110 (Supervision) and 4370 (Business Continuity Plans and Emergency Contact Information), and Securities Exchange Act (SEA) Rules 17a-3 and 17a-4.
Rule 30 of SEC Regulation S-P requires member firms to, among other things, have written policies and procedures that address administrative, technical and physical safeguards for the protection of customer information.1 Regulation S-ID requires member firms that offer or maintain one or more covered accounts2 to develop and implement a written program that is designed to detect, prevent and mitigate identity theft in connection with the opening or maintenance of such accounts.3
Amendments to Regulation S-P
In May 2024, the SEC announced the adoption of amendments to Regulation S-P. The amendments provide, among other things, that a firm’s policies and procedures to safeguard customer information must include a program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, including procedures to notify affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.
Larger entities were required to comply with the amendments to Regulation S-P by Dec. 3, 2025. Smaller entities must comply with the amendments by June 3, 2026.
FINRA has observed a variety of sophisticated cybersecurity threats targeting member firms and their customers, including:
- Ransomware and Extortion Events: cyberattacks involving unauthorized access to firm systems, often installing malware to encrypt or access and steal sensitive firm data or customer information. The stolen or encrypted data is held for ransom;
- Data Breaches: unauthorized access, acquisition or disclosure of confidential information, such as firm data and customer data, including personally identifiable information (PII);
- Phishing,4 Smishing5 or Quishing:6 deceptive social engineering attacks using email, SMS text messages or QR codes to redirect customers to malicious domains for the purposes of gathering their login and other credentials;
- New Account Fraud: attacks using falsified customer information or stolen identity information often purchased from criminal sites on the dark web, via a mobile app or internet browser, for the purpose of opening accounts;
- Account Takeovers: threat actors using compromised customer login credentials to gain unauthorized access to online accounts;
- Account Impersonations: threat actors using stolen customer information in combination with a compromised or spoofed email address to initiate actions, often a third-party wire transfer request, from the customer’s account;
- Imposter Sites: attacks leveraging spoofed domains and social media profiles (including those that impersonate financial firms, registered representatives and FINRA staff) to defraud firms and customers;
- Relationship Investment Scams: deceptive schemes targeting customers directly through social media or through text messages, establishing trust and then defrauding their victims; and
- Insider Threats: incidents involving firm employees who purposely or inadvertently use their access to firms’ systems to cause harm to firms and their customers.
Through a variety of partnerships, FINRA is also aware of the following emerging cyber threats potentially posing threats to firms:
- GenAI-Enabled Fraud: threat actors exploiting GenAI’s ease of use and wide range of applications to enhance their cyber-enabled crimes, for example, by:
- generating fake content (e.g., imposter sites, false identification documents, deepfake audio and video);
- creating polymorphic malware, which is a type of malicious software that constantly morphs, evolves or changes appearance to avoid detection by security products; and
- leveraging GenAI models to develop malicious tools, allowing those without technical ability to become sophisticated cybercriminals.
- Cybercrime-as-a-Service: criminals with technical expertise selling tools and services—including information stealers, phishing kits and ransomware—to less technical threat actors, allowing them to commit sophisticated cybercrimes.
For additional guidance concerning threat actors’ manipulation of GenAI to gain access to financial accounts and create new accounts in the names of unsuspecting investors, please see the Continuing Risk: New Account Fraud and Account Takeovers “callout” box in the Anti-Money Laundering, Fraud and Sanctions topic.
Effective Practices
- Monitor for Customer Account Takeovers: Review unusual or suspicious activity such as wire requests to third-party accounts—including previously unused third parties—and suspicious login activity from unidentified browsers or locations to determine whether further action (e.g., trading and fund restrictions on the accounts) is appropriate.
- Multi-Factor Authentication: Use multi-factor authentication (MFA) for login access to the firm’s systems, including email and operational systems accessed by associated persons, firm staff, contractors and customers.
- Monitor for Imposter Domains or Accounts:
- Monitor the internet (e.g., through a domain name service (DNS) monitoring service) for any newly created imposter domains fraudulently representing the firm or a registered representative.
- Monitor social media for accounts impersonating firm personnel.
- Maintain written procedures for responding to reports of imposter domains or social media accounts.
- Monitor Outbound Email: Scan outbound email and attachments to identify and block exfiltration of sensitive customer information or confidential firm data.
- BYOD Program: Establish reasonable supervision for associated persons, firm staff and registered representatives that establishes clear policies and procedures for secure use of “bring your own device (BYOD).”
- Conduct Training and Security Awareness: Regularly train staff on cybersecurity measures, including how to identify and report phishing or social engineering attacks.
- Identity Verification: Review email addresses and verify signatures associated with third-party accounts if funds are requested to be sent to or from those outside accounts.
- Conduct Tabletop Exercises (TTXs): Conduct TTXs with stakeholders to discuss cyber and technology threat management and incident response.
- Segment Networks: Subdivide networks into separate sections to limit threat actor movement laterally within a network.
- Cross-Team Communication: Encourage cyber and information technology staff to coordinate with AML staff about cybersecurity concerns and report suspicious activity.
- Monitor Third-Party Vendor Risk: Monitor risk arising from relationships with vendors.
Additional Resources
- FINRA
- SEC
- Compliance Outreach on Regulation S-P
- SEC Charges Three Individuals with Impersonating Financial Professionals in Fraud Scheme Targeting Retail Investors (Dec. 11, 2024)
- SEC Adopts Rule Amendments to Regulation S-P to Enhance Protection of Customer Information (May 16, 2024)
- Enhancements to Regulation S-P: A Small Entity Compliance Guide
- CISA
- FinCEN
1 17 CFR 248.30(a)(1).
2 See 17 CFR 248.201(b)(3), which defines “covered account” as: (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a brokerage account with a broker-dealer or an account maintained by a mutual fund (or its agent) that permits wire transfers or other payments to third parties; and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
3 17 CFR 248.201(d).
4 The term “phishing” refers to fraudulent schemes in which scammers send electronic communications purporting to be from a trustworthy entity or individual, and attempt to trick the recipient to reveal PII through certain actions (e.g., clicking on a link, opening an attachment). See Industry Risks and Threats – Resources for Member Firms for examples of prior phishing campaigns that targeted firms.
5 The term “smishing” refers to fraudulent schemes in which scammers send text messages designed to manipulate targets into taking an unsafe action (e.g., clicking a link, replying with sensitive information). See the Investor Insights article Avoid Fraud: Be Alert to Investor Risks from SMS Phishing Scams for additional guidance related to identifying, preventing and responding to these schemes.
6 The term “quishing” refers to business email compromise attacks that uses QR codes in embedded PDFs to redirect victims to phishing URLs. See FINRA Cyber Alert—ONNX Store Purportedly Targeting Firms in Quishing Attacks for additional guidance related to identifying and preventing these attacks.