Cybersecurity

Given the evolving nature, increasing frequency, and sophistication of cybersecurity attacks – as well as the potential for harm to investors, firms, and the markets – cybersecurity practices are a key focus for FINRA.

FINRA also reviews a firm’s ability to protect the confidentiality, integrity and availability of sensitive customer information. This includes reviewing each firm’s compliance with SEC regulations, including:

Regulation S-P (17 CFR §248.30), which requires firms to adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access
Regulation S-ID (17 CFR §248.201-202), which outlines a firm's duties regarding the detection, prevention, and mitigation of identity theft
The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)), which requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format

FINRA reviews firms' approaches to cybersecurity risk management, including: technology governance, system change management, risk assessments, technical controls, incident response, vendor management, data loss prevention, and staff training.

Small Firm Cybersecurity Checklist

FINRA has created a Checklist for a Small Firm's Cybersecurity Program (Excel 114 KB) to assist small firms in establishing a cybersecurity program to:

identify and assess cybersecurity threats, protect assets from cyber intrusions
detect when their systems and assets have been compromised
plan for the response when a compromise occurs
implement a plan to recover lost, stolen or unavailable assets

This checklist is primarily derived from the National Institute of Standards and Technology (NIST) Cybersecurity Framework and FINRA’s Report on Cybersecurity Practices.

Use of this checklist does not create a "safe harbor" with respect to FINRA rules, federal or state securities laws, or other applicable federal or state regulatory requirements.

Download the Cybersecurity Checklist

Core Cybersecurity Controls for Small Firms

Core Cybersecurity Controls for Small Firms is a list of core controls that are likely to be relevant to many small firms’ cybersecurity programs. This list was designed to help small firms in establishing an effective cybersecurity program.

DOWNLOAD THE LIST

FINRA Reports on Cybersecurity Practices

Report on Selected Cybersecurity Practices – 2018 is a detailed review of effective information-security controls at securities firms. The report is designed to help broker-dealers – including small firms – further develop their cybersecurity programs. The report addresses areas that firms tend to find most challenging: cybersecurity controls in branch offices; methods of limiting phishing attacks; identifying and mitigating insider threats; elements of a strong penetration-testing program; and establishing and maintaining controls on mobile devices.

DOWNLOAD THE REPORT

Report on Cybersecurity Practices (2015) highlights effective practices that firms should consider to strengthen their cybersecurity programs. The observations and practices in the report are based on a variety of sources, including a sweep we conducted in 2014 of firms of varying sizes and business models, a 2011 survey of firms and interviews with other organizations involved in cybersecurity. As we note in the report, there is no one-size-fits-all approach to a cybersecurity infrastructure. Rather, the risk management-based approach that we discuss in the report enables firms to tailor their program to their particular circumstances.

DOWNLOAD THE REPORT

In Case of a Disruptive Attack or Breach

Firms should get to know their local Federal Bureau of Investigation (FBI) and proactively plan for a cybersecurity attack or breach.

In case your firm is the victim of a disruptive attack or breach, for instance your data has been accessed or your customers cannot do business, you should immediately report the incident to your:

Vendors and Consultants

In an effort to provide enhanced compliance tools and resources, FINRA has developed the Compliance Vendor Directory (CVD). The FINRA CVD is designed to give firms more options in locating vendors that provide compliance-related offerings, including cybersecurity vendors and services.

Use of any products, services and/or materials offered by these vendors does not ensure compliance with regulatory requirements or create a safe harbor from regulatory responsibility. Firms should undertake their own assessments to determine whether the products or services meet their technology and security requirements. FINRA does not endorse these vendors or products, services or materials they offer and firms are not obligated to use them.

GO TO THE COMPLIANCE VENDOR DIRECTORY

Non-FINRA Resources

FINRA has assembled a list of non-FINRA cybersecurity resources that firms may use to manage their cybersecurity risk. These resources include:

news and analysis
effective practices and guidance
free diagnostic tools

Use of any of these resources does not ensure compliance with FINRA's cybersecurity rules and policies. FINRA does not endorse or guarantee any of the resources listed within.

Contact OGC

FINRA's Office of General Counsel (OGC) staff provides broker-dealers, attorneys, registered representatives, investors and other interested parties with interpretative guidance relating to FINRA’s rules. Please see Interpreting the Rules for more information.

OGC staff contact:
Jeanette Wingler
FINRA, OGC
1735 K Street, NW
Washington, DC 20006
(202) 728-8000

FINRA Rules
3110. Supervision
FINRA Rules
3120. Supervisory Control System
FINRA Rules
4530. Reporting Requirements
FINRA Rules
4530. Reporting Requirements

Information Notice – 4/29/19
Imposter Websites Impacting Member Firms
Mon, 04/29/2019 - 12:00
Information Notice – 6/19/15
Distributed Denial of Service (DDoS) Attacks on Member Firms
Fri, 06/19/2015 - 12:00
Information Notice 2/9/12
FINRA Warns Firms of Hoax Emails That Purport to Be From Regulators
Wed, 02/29/2012 - 12:00
Regulatory Notice 12-05
Verification of Emailed Instructions to Transmit or Withdraw Assets From Customer Accounts
Thu, 01/26/2012 - 12:00
Notice to Members 05-48
Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers
Fri, 07/22/2005 - 12:00

A Few Minutes With FINRA
A Few Minutes With FINRA: Report on Selected Cybersecurity Practices – 2018
FINRA’s Senior Vice President of Member Relations and Education Chip Jones, leads a discussion with Chief Information Security Officer John Brady, Senior Director Steve Polansky and Kansas City Surveillance Director Dave Kelley, on FINRA’s 2018 report on selected cybersecurity practices. The discussion includes an overview of the report, which highlights effective practices in five challenging areas that firms should consider to strengthen and further develop their cybersecurity programs—as well as core cybersecurity controls for small firms. (30 min. 17 sec.)
December 20, 2018
Regulation and Compliance, Podcast
Bits & Bytes: A Look at Effective Cybersecurity Practices
Cybersecurity is a major challenge for everyone – but it can be a particularly big challenge for those in the financial industry. That’s why FINRA released a new report highlighting effective cybersecurity practices for FINRA member firms. Learn more in this episode of FINRA Unscripted.
December 20, 2018
Podcast
Cybersecurity Awareness Month: Stay Connected and Protected
In an era when much of our lives happen online, cybersecurity is more important than ever. But what do you do to protect your personal information? We all have a role to play in keeping ourselves secure. This National Cybersecurity Awareness Month, tune in to learn more about how you can keep yourself, your family and your clients safe online.
October 23, 2018
Market Safety, Podcast
Combatting Cybersecurity Threats
From banking and investing to social media and shopping, the internet is an essential part of our daily lives. That means cybersecurity is more important than ever. That is particularly true for FINRA, which can process up to 99 billion records in a single day. Here, John Brady explains how FINRA stays cyber secure.
February 27, 2018
Market Safety, Guidance, Video, Media Center
Cybersecurity Experts Gather for FINRA Conference
Cybersecurity experts and regulators gathered in New York City on February 22, 2018 to focus on key ways the financial services industry can maintain cybersecurity.
February 26, 2018
Guidance, Report / Study, 2017 Exam Findings Report
Cybersecurity
Cybersecurity is one of the principal operational risks facing broker-dealers. Recent revelations regarding successful attacks at a number of different entities underscore the need for firms to be vigilant in addressing cybersecurity threats.
December 01, 2017
A Few Minutes With FINRA
A Few Minutes with FINRA: Cybersecurity – Part III
Dave Kelley explains common cybersecurity program deficiencies related to vendor management, branch-level controls and data protection. (7 min. 45 sec.)
July 24, 2017
A Few Minutes With FINRA
A Few Minutes with FINRA: Cybersecurity – Part II
Dave Kelley talks about formalizing the oversight of a firm's cyber program and strengthening controls around access to data and systems. (6 min. 24 sec.)
July 17, 2017
A Few Minutes With FINRA
A Few Minutes with FINRA: Cybersecurity – Part I
Susan Axelrod and Dave Kelley discuss common deficiencies FINRA staff see during examinations of firm's cybersecurity programs. (6 min. 34 sec.)
July 10, 2017
Compliance Tools
Non-FINRA Cybersecurity Resources
FINRA has assembled a list of resources that firms may use to manage their cybersecurity risk. These resources include: news and analysis; effective practices and guidance; and free diagnostic tools...
October 25, 2016
Compliance Tools
Small Firm Cybersecurity Checklist
FINRA has created a checklist to assist small firms in establishing a cybersecurity program.
May 23, 2016
Report / Study
2015 Cybersecurity Report
The Report on Cybersecurity Practices focuses on the types of threats firms face, areas of vulnerabilities in their systems and firms' approaches to managing these threats.
February 03, 2015
Targeted Examination Letter
Targeted Examination Letter on Cybersecurity
FINRA is conducting an assessment of firms’ approaches to managing cyber-security threats. FINRA is conducting this assessment in light of the critical role information technology (IT) plays in the securities industry, the increasing threat to firms’ IT systems from a variety of sources, and the potential harm to investors, firms, and the financial system as a whole that these threats pose.
January 01, 2014

FINRA Publishes Report on Selected Cybersecurity Practices – 2018
December 20, 2018
FINRA Fines 12 Firms a Total of $14.4 Million for Failing to Protect Records From Alteration
December 21, 2016
FINRA Fines Scottrade $2.6 Million for Significant Failures in Required Electronic Records and Email Retention
November 16, 2015
FINRA Issues Report on Cybersecurity Practices, Cybersecurity Investor Alert
February 03, 2015
FINRA Warns Investors of Email Hack Attacks
January 26, 2012
FINRA Warns Public of Scam Using Fake FINRA Emails in "Phishing" Scheme
October 05, 2009
FINRA Fines Centaurus Financial $175,000 for Failure to Protect Confidential Customer Information
April 28, 2009
FINRA Warns Job Seekers About Online Classifieds Scams Aimed at Identity Theft, Financial Fraud
May 12, 2008
NASD Warns Investors to Protect Online Account Information
July 28, 2005
NASD Investor Alert: Protecting Against Online Identity Theft
September 02, 2004

Investor Education
5 Tips to Stay Safe Online This National Cybersecurity Awareness Month
These days, so much of our lives happen online. That makes cybersecurity more important than ever before. This National Cybersecurity Awareness Month, we’ve got five tips to help to stay safer and more secure online.
Investor Alert
Keeping Your Account Secure: Tips for Protecting Your Financial Information
Your brokerage firm has an obligation to safeguard your personal financial information. And every investor should take time to understand their firm’s cybersecurity procedures. But even the best procedures cannot prevent all instances of identity theft—especially if the vulnerability lies with you, the customer. Here are critical steps you can take to safeguard your financial accounts and help prevent identity theft.
Investor Alert
Cybersecurity and Your Brokerage Firm
Information technology (IT) plays a critical role in the securities industry. Unfortunately, cyber threats to the information and computer systems of brokerage firms are increasing, and with these threats comes the risk of potential harm to investors.
Investor Alert
"Phishing" and Other Online Identity Theft Scams: Don't Take the Bait
FINRA is updating this Alert to tell you about some of the latest online identify theft scams targeting financial sector customers and to provide tips for spotting and avoiding these scams.
Investor Alert
Email Hack Attack? Be Sure to Notify Brokerage Firms and Other Financial Institutions
FINRA has received an increasing number of reports involving investor funds being stolen by fraudsters who first gain access to the investor’s email account and then email instructions to the firm to transfer money out of the brokerage account. In addition to issuing a Regulatory Notice to firms, we are issuing this Alert to warn investors about the potential financial consequences of a compromised email account and to provide tips for safeguarding your assets.
Investor Alert
Beware of Online Job Classifieds Used to Steal Your Identity
In another variation of the identity theft tale, stock traders posing as employees of a made-up Latvian brokerage firm appear to have stolen personal information from individuals who thought they were applying for a job through the popular classifieds website, Craigslist (www.craigslist.org).
Investor Alert
Protect Your Online Brokerage Account: Safety Should Come First When Logging In and Out
The Internet and, more recently, wireless technology have made it easy for investors to check brokerage account information and initiate investment transactions on the go. We are issuing this Alert to warn investors to take precautions to help ensure the security of their brokerage accounts. Not doing so puts your account information and investments at risk.
Investor Education
Safeguarding Your Financial Information: An Identity Theft Prevention Checklist
Use this checklist to safeguard your sensitive information and help keep identity thieves at bay.

2017 Exam Findings Report
2018 Exam Findings Report
About FINRA
Annual Regulatory and Examination Priorities Letters
Board of Governors Meeting
Compliance Tools
Continuing Education
Election Notice
Email to Firms
Events & Training
Exemptive Letter
FAQ
Filing and Reporting
Financial Reports
Guidance
Information Notice
Interpretive Letter
Investor Alert
Investor Education
Investor Insights
Key Topic
Manage Your Career
Disciplinary Actions
News Release
Oversight & Enforcement
Podcast
Qualification Exam
Registration
Regulatory and Compliance Alerts (RCA)
Regulatory Notice
Report / Study
Report Card
Request for Comment
Rule
Rule Filing
Speech / Testimony
Targeted Examination Letter
Technical Documentation
Technical Notice
Trade Reporting Notice
Video

401(k)
403(b)
457
529 Prepaid Tuition Plans
529 Savings Plans
Accounts At Other Broker Dealers and Financial Institutions
Advertising Regulation
Agency Bonds
Algorithmic Trading
Alternative and Complex Products
Alternative Display Facility (ADF)
Annual Audit
Anti-Money Laundering
Arbitration and Mediation
Asset Backed Securities
Auction Rate Securities
Back testing
Bank Products
Best Execution
Best Practices
Block Chain / Distributed Ledger Technology
Blue Sheets
Bond Funds
Bond Mutual Fund Volatility/Risk Rating
Bonds
Books and Records
Branch Offices
Breakpoints
Broker Dealer Registration
Broker Migration
Broker-Dealer Recruitment Disclosures
Brokerage
BrokerCheck
Business Cards
Business Continuity Planning
Business Development Company (BDC)
Capital Acquisition Brokers
Capital Formation
Carrying Agreements
Cash Equivalents
Catastrophe Bonds
Central Registration Depository (CRD)
Certificates of Deposit (CDs)
Collateralized Mortgage Obligations (CMOs)
College Savings Plans
Commodities and Futures
Communications with the Public
Compensation
Compliance Resources
Comprehensive Automated Risk Data System (CARDS)
Conflicts of Interest
Consolidated Audit Trail (CAT)
Consolidated Reports
Continuing Education
Continuing Membership Applications
Continuing Membership Applications
Corporate Bonds
Corporate Financing
Correspondence
Correspondence
Coverdell Education Saving Accounts (ESAs)
Credit for Cooperation
Custodial Accounts (UGMA and UTMA)
Customer Account Statements
Customer Account Transfers
Customer Information Protection
Customer Orders
Cybersecurity
Day Trading
Deferred Annuities
Department of Labor
Derivatives and Other Balance Sheet Items (OBS)
Direct Participation Programs (DPPs)
E-Bill
Education
EFocus
Electronic Communications
Electronic Filing Requirements
Electronic Fingerprint Processing
Electronic Fingerprint Submission (EFS)
Enforcement
Enforcement Process
Engagement
Equities
Equity-Indexed Annuities
Essentials Exam
Event Linked Bonds
Exam Restructuring
Exams
Exchange Traded Funds (ETFs)
Expense Ratio
Expertise
Fee Disclosure
Fees
Filing Requirements
Financial and Operational Rules, Interpretations of
Financial Responsibility
Financial Stress Test
Fingerprints
FINRA Foundation
FINRA Logo
FINRA Membership/Name
FINRA360
FinTech
Firm Examination Program
Fixed Annuities
Fixed Income
Foreign Exchange Trading
Free Writing Prospectus
Funding and Liquidity
Funding Portal Registration
Funding Portals
Funds
GASB Accounts Support Fee
Generation X
Ghost-writing
Gifts and Gratuities
Governmental Accounting Standards Board (GASB)
Hedge Funds
High Risk Brokers
High Yield Bonds
High Yield Securities
Home Equity Funded Investments
Hyperlinks
Illiquid Investments
Indications of Interest
Individual Registration
Individual Retirement Accounts (IRAs)
Inexperienced
Information and Testimony Requests
Initial Public Offering (IPO)
Innovation
INSITE
Institutional Communications
Insurance
International and Emerging Market Bonds
Investment Analysis Tools
Investment Products
Investors
Junk Bonds
Letterhead
Life Settlements
Limit Order
Linking to BrokerCheck
Margin Accounts
Margin Risk Disclosure
Mark-ups / Mark-Downs
Market Access
Market Order
Market Regulation
Market Transparancy
Materiality Consultation Process
Member Application Program
Mergers Acquisitions and Business Transfers
Military
Military Spouses
Millennials
Money Market Securities
Mortgage Backed Securities
Mortgages
Municipal Advisor Regulation
Municipal Fund Securities
Municipal Securities
Mutual Funds
National Adjudicatory Council (NAC)
National Do-Not-Call Registry
National Market System Plans
Near Retirement
Negative Response Letters
Net Capital
New Account Process
New Firm Communications
New Investor
Non-cash Compensation
Office of Fraud Detection and Market Intelligence
Office of Hearing Officers (OHO)
Office of the Chief Economist
Office of the General Counsel
Operations
Options
Options Exchange Filings
Order Audit Trail System (OATS)
Order Handling
OTC (ATS & Non-ATS) Transparency
OTC Bulletin Board (OTCBB)
Over-the-Counter Reporting Facility (ORF)
Oversight
Penny Stocks
Pre-investor
Preferred Securities
Principal Approval
Principal Protected Notes
Private Placements
Product Vetting
Professional Designations
Projections
Promissory Notes
Proprietary Trading
Public Disclosure Program
Public non-traded REITS
Public Offerings
Qualification Exams
Rankings
Real Estate Investment Trusts
Registered Investment Advisers (RIA)
Registration and Disclosure (RAD)
Regulation A Offerings
Regulation Best Interest (REG BI)
Regulation D Offerings
Regulation M
Regulation M Filings
Regulation NMS
Related Performance
Renewal Program
Reporting
Reprints
Research Analyst Rules
Research Disclosures
Research Reports
Retirement Savings Plans
Reverse Convertible Notes (RCN)
Risk Management
Rule 4530 Reporting Requirements
Sales Practices
Sanction Guidelines
Savings Accounts
Securities Investor Protection Corporation - SIPC
Security Futures
SEC’s July 2013 Financial Responsibility Rule Amendments
Senior Designations
Senior Investors
Shareholder Reports
Short Interest Reporting
Short Selling
Social Media
Statutory Disqualification
Stocks
Structured Products
Subordination Agreements
Suitability
Supervision
Supplemental Statement of Income (SSOI)
Technology
Teens
Telemarketing
Television and Video
Templates
Tenants-in-Common Interests
Third Party Research
Thrift savings plan (TSP)
Tick Size Pilot Program
Trade Reporting and Compliance Engine (TRACE)
Trade Reporting Facility (TRF)
Trading Activity Fee
Treasury Bills
Treasury Bonds
Treasury Inflation Protected Securities (TIPS)
Treasury Notes
U.S. Treasury Securities
Uniform Practice Code (UPC)
Update a Firm's Registration
Variable Annuities
Variable Life
Variable Life Insurance Products
VIX-Linked Products (Volatility Index)
Women