Given the evolving nature, increasing frequency, and sophistication of cybersecurity attacks – as well as the potential for harm to investors, firms, and the markets – cybersecurity practices are a key focus for FINRA.
FINRA also reviews a firm’s ability to protect the confidentiality, integrity and availability of sensitive customer information. This includes reviewing each firm’s compliance with SEC regulations, including:
- Regulation S-P (17 CFR §248.30), which requires firms to adopt written policies and procedures to protect customer information against cyber-attacks and other forms of unauthorized access
- Regulation S-ID (17 CFR §248.201-202), which outlines a firm's duties regarding the detection, prevention, and mitigation of identity theft
- The Securities Exchange Act of 1934 (17 CFR §240.17a-4(f)), which requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format
FINRA reviews firms' approaches to cybersecurity risk management, including: technology governance, system change management, risk assessments, technical controls, incident response, vendor management, data loss prevention, and staff training.
FINRA has created a Checklist for a Small Firm's Cybersecurity Program (Excel 114 KB) to assist small firms in establishing a cybersecurity program to:
- identify and assess cybersecurity threats, protect assets from cyber intrusions
- detect when their systems and assets have been compromised
- plan for the response when a compromise occurs
- implement a plan to recover lost, stolen or unavailable assets
This checklist is primarily derived from the National Institute of Standards and Technology (NIST) Cybersecurity Framework and FINRA’s Report on Cybersecurity Practices.
Use of this checklist does not create a "safe harbor" with respect to FINRA rules, federal or state securities laws, or other applicable federal or state regulatory requirements.
Core Cybersecurity Controls for Small Firms is a list of core controls that are likely to be relevant to many small firms’ cybersecurity programs. This list was designed to help small firms in establishing an effective cybersecurity program.
Report on Selected Cybersecurity Practices – 2018 is a detailed review of effective information-security controls at securities firms. The report is designed to help broker-dealers – including small firms – further develop their cybersecurity programs. The report addresses areas that firms tend to find most challenging: cybersecurity controls in branch offices; methods of limiting phishing attacks; identifying and mitigating insider threats; elements of a strong penetration-testing program; and establishing and maintaining controls on mobile devices.
Report on Cybersecurity Practices (2015) highlights effective practices that firms should consider to strengthen their cybersecurity programs. The observations and practices in the report are based on a variety of sources, including a sweep we conducted in 2014 of firms of varying sizes and business models, a 2011 survey of firms and interviews with other organizations involved in cybersecurity. As we note in the report, there is no one-size-fits-all approach to a cybersecurity infrastructure. Rather, the risk management-based approach that we discuss in the report enables firms to tailor their program to their particular circumstances.
Firms should get to know their local Federal Bureau of Investigation (FBI) and proactively plan for a cybersecurity attack or breach.
In case your firm is the victim of a disruptive attack or breach, for instance your data has been accessed or your customers cannot do business, you should immediately report the incident to your:
In an effort to provide enhanced compliance tools and resources, FINRA has developed the Compliance Vendor Directory (CVD). The FINRA CVD is designed to give firms more options in locating vendors that provide compliance-related offerings, including cybersecurity vendors and services.
Use of any products, services and/or materials offered by these vendors does not ensure compliance with regulatory requirements or create a safe harbor from regulatory responsibility. Firms should undertake their own assessments to determine whether the products or services meet their technology and security requirements. FINRA does not endorse these vendors or products, services or materials they offer and firms are not obligated to use them.
FINRA has assembled a list of non-FINRA cybersecurity resources that firms may use to manage their cybersecurity risk. These resources include:
- news and analysis
- effective practices and guidance
- free diagnostic tools
Use of any of these resources does not ensure compliance with FINRA's cybersecurity rules and policies. FINRA does not endorse or guarantee any of the resources listed within.
FINRA's Office of General Counsel (OGC) staff provides broker-dealers, attorneys, registered representatives, investors and other interested parties with interpretative guidance relating to FINRA’s rules. Please see Interpreting the Rules for more information.
OGC staff contact:
1735 K Street, NW
Washington, DC 20006
- Imposter Websites Impacting Member Firms
- Distributed Denial of Service (DDoS) Attacks on Member Firms
- FINRA Warns Firms of Hoax Emails That Purport to Be From Regulators
- Verification of Emailed Instructions to Transmit or Withdraw Assets From Customer Accounts
- Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers
- A Few Minutes With FINRAFINRA’s Senior Vice President of Member Relations and Education Chip Jones, leads a discussion with Chief Information Security Officer John Brady, Senior Director Steve Polansky and Kansas City Surveillance Director Dave Kelley, on FINRA’s 2018 report on selected cybersecurity practices. The discussion includes an overview of the report, which highlights effective practices in five challenging areas that firms should consider to strengthen and further develop their cybersecurity programs—as well as core cybersecurity controls for small firms. (30 min. 17 sec.)December 20, 2018
- Regulation and Compliance, PodcastCybersecurity is a major challenge for everyone – but it can be a particularly big challenge for those in the financial industry. That’s why FINRA released a new report highlighting effective cybersecurity practices for FINRA member firms. Learn more in this episode of FINRA Unscripted.December 20, 2018
- PodcastIn an era when much of our lives happen online, cybersecurity is more important than ever. But what do you do to protect your personal information? We all have a role to play in keeping ourselves secure. This National Cybersecurity Awareness Month, tune in to learn more about how you can keep yourself, your family and your clients safe online.October 23, 2018
- Market Safety, PodcastFrom banking and investing to social media and shopping, the internet is an essential part of our daily lives. That means cybersecurity is more important than ever. That is particularly true for FINRA, which can process up to 99 billion records in a single day. Here, John Brady explains how FINRA stays cyber secure.February 27, 2018
- Market Safety, Guidance, Video, Media CenterCybersecurity experts and regulators gathered in New York City on February 22, 2018 to focus on key ways the financial services industry can maintain cybersecurity.February 26, 2018
- Guidance, Report / Study, 2017 Exam Findings ReportCybersecurity is one of the principal operational risks facing broker-dealers. Recent revelations regarding successful attacks at a number of different entities underscore the need for firms to be vigilant in addressing cybersecurity threats.December 01, 2017
- A Few Minutes With FINRADave Kelley explains common cybersecurity program deficiencies related to vendor management, branch-level controls and data protection. (7 min. 45 sec.)July 24, 2017
- A Few Minutes With FINRADave Kelley talks about formalizing the oversight of a firm's cyber program and strengthening controls around access to data and systems. (6 min. 24 sec.)July 17, 2017
- A Few Minutes With FINRASusan Axelrod and Dave Kelley discuss common deficiencies FINRA staff see during examinations of firm's cybersecurity programs. (6 min. 34 sec.)July 10, 2017
- Compliance ToolsFINRA has assembled a list of resources that firms may use to manage their cybersecurity risk. These resources include: news and analysis; effective practices and guidance; and free diagnostic tools...October 25, 2016
- Compliance ToolsFINRA has created a checklist to assist small firms in establishing a cybersecurity program.May 23, 2016
- Report / StudyThe Report on Cybersecurity Practices focuses on the types of threats firms face, areas of vulnerabilities in their systems and firms' approaches to managing these threats.February 03, 2015
- Targeted Examination LetterFINRA is conducting an assessment of firms’ approaches to managing cyber-security threats. FINRA is conducting this assessment in light of the critical role information technology (IT) plays in the securities industry, the increasing threat to firms’ IT systems from a variety of sources, and the potential harm to investors, firms, and the financial system as a whole that these threats pose.January 01, 2014
- December 20, 2018
- December 21, 2016
- FINRA Fines Scottrade $2.6 Million for Significant Failures in Required Electronic Records and Email RetentionNovember 16, 2015
- February 03, 2015
- January 26, 2012
- October 05, 2009
- April 28, 2009
- May 12, 2008
- July 28, 2005
- September 02, 2004
- Investor EducationThese days, so much of our lives happen online. That makes cybersecurity more important than ever before. This National Cybersecurity Awareness Month, we’ve got five tips to help to stay safer and more secure online.
- Investor AlertYour brokerage firm has an obligation to safeguard your personal financial information. And every investor should take time to understand their firm’s cybersecurity procedures. But even the best procedures cannot prevent all instances of identity theft—especially if the vulnerability lies with you, the customer. Here are critical steps you can take to safeguard your financial accounts and help prevent identity theft.
- Investor AlertInformation technology (IT) plays a critical role in the securities industry. Unfortunately, cyber threats to the information and computer systems of brokerage firms are increasing, and with these threats comes the risk of potential harm to investors.
- Investor AlertFINRA is updating this Alert to tell you about some of the latest online identify theft scams targeting financial sector customers and to provide tips for spotting and avoiding these scams.
- Investor AlertFINRA has received an increasing number of reports involving investor funds being stolen by fraudsters who first gain access to the investor’s email account and then email instructions to the firm to transfer money out of the brokerage account. In addition to issuing a Regulatory Notice to firms, we are issuing this Alert to warn investors about the potential financial consequences of a compromised email account and to provide tips for safeguarding your assets.
- Investor AlertIn another variation of the identity theft tale, stock traders posing as employees of a made-up Latvian brokerage firm appear to have stolen personal information from individuals who thought they were applying for a job through the popular classifieds website, Craigslist (www.craigslist.org).
- Investor AlertThe Internet and, more recently, wireless technology have made it easy for investors to check brokerage account information and initiate investment transactions on the go. We are issuing this Alert to warn investors to take precautions to help ensure the security of their brokerage accounts. Not doing so puts your account information and investments at risk.
- Investor EducationUse this checklist to safeguard your sensitive information and help keep identity thieves at bay.