Third-Party Risk Landscape

FINRA’s Firm Outreach

FINRA’s Risk Monitoring program engages with firms on an ongoing basis to understand how firms use and supervise third-party vendors. 

• In January 2025, FINRA issued a request for firms to update information related to their engagements with third-party vendors, particularly those they use for mission-critical systems and functions. This information supplemented FINRA’s understanding of the potential impact and effect a third-party vendor cybersecurity event might have on our firms and the securities markets.
• FINRA has used the information gathered to quickly and proactively alert firms of cybersecurity and other vendor-related events that may impact their firm. 

Firms can contact their Risk Monitoring Analyst to report any changes to third-party vendors that support their key systems or any cybersecurity events at these vendors.

• New in 2025, as a key component of the FINRA Forward initiatives, FINRA has launched FINRA Cyber & Operational REsilience (CORE). CORE identifies, assesses and shares cyber and technology risk intelligence directly with potentially impacted firms, delivering actionable insights and mitigation tactics. Additionally, CORE enhances visibility of risks and threats across the broker-dealer landscape, enabling early detection of vendor-related threats, systemic technology failures and emerging cyber-attack patterns, aiding in investor protection and market integrity efforts.

Technology Management

Effective technology management factors significantly into regulatory compliance. When technology systems member firms rely on experience outages, operate sub-optimally or lack appropriate controls, the consequences can impact a firm’s ability to meet its regulatory obligations. Below are some effective practices related to technology management FINRA has observed at member firms. 

• Governance: Establishing a comprehensive technology governance framework with clear accountability, oversight structures and documented processes to systematically identify, assess, mitigate and monitor technology risks across the enterprise. Documenting in firm WSPs, including change, incident and problem management.
• Risk Assessments: Regularly assessing firm’s technology risk profile based on changes in the firm’s size, business model and technology stack. Regularly updating the firm’s Information Technology Governance program based on those assessments.
• Artificial Intelligence (AI)/Large Language Models (LLMs): Establishing a supervision, governance or model risk management framework that establishes clear policies and procedures for AI/LLM development, implementation, use and monitoring, while maintaining comprehensive documentation throughout. Ensuring comprehensive data management in AI/LLM systems address data quality, integrity, retention and data security.³
• Identity Access Management: Implementing identity access management controls enforcing least-privilege principles, requiring multi-factor authentication, and maintaining comprehensive access reviews to prevent unauthorized system access and protect sensitive data for human and non-human accounts.
• Data Backups: Completing regular backups of critical data and systems, and ensuring the backup copies are encrypted and stored off-network. Regularly testing the recovery of data from backups to confirm information can be restored.
• Branch Office Procedures: Limiting the use of branch-managed servers for email or other applications (e.g., customer relationship management, reporting). If branch-managed servers or applications are permitted, ensuring devices and applications are inventoried.
• Configuration Management: Confirming desktops, laptops, applications and servers are inventoried and configured to the standards needed for the firm to conduct business.
• Digital Transformation and the Adoption of Cloud: Planning and designing processes used when adopting cloud-based systems or technology to confirm adequate preparation.
• Log Management: Capturing and retaining log data from a broad set of sources according to factors like compliance requirements, business needs and type of data.
• IT Resiliency: Implementing and testing firm controls, and, where relevant, vendor controls, to maintain acceptable service levels during disruption of critical IT systems or services.