Cybersecurity

Given the evolving nature, increasing frequency, and mounting sophistication of cybersecurity attacks – as well as the potential for harm to investors, firms, and the markets – cybersecurity practices are a key focus for firms and FINRA.

FINRA evaluates firms’ approaches to cybersecurity risk management through reviews of their controls in areas including: technology governance, risk assessment, technical controls, access management, incident response, vendor management, data loss prevention, system change management, branch controls and staff training. Through these reviews, FINRA also assesses a firm’s ability to protect the confidentiality, integrity, and availability of sensitive customer information.

These pages are designed to assist a firm in building out its cybersecurity program by addressing the individual risks and discussing related controls needed to protect customer and firm confidential data. FINRA has updated this Cybersecurity page to include the following resources:

In Case Of A Disruptive Attack or Breach
Common Cybersecurity Threats
Events
Reports
Compliance Tools
Media
FINRA Cybersecurity Contact

In Case of a Disruptive Attack or Breach

Firms should get to know their local Federal Bureau of Investigation (FBI) and proactively plan for a cybersecurity attack or breach.

In case your firm is the victim of a disruptive attack or breach, for instance your data has been accessed or your customers cannot do business, you should immediately report the incident to your:

Common Cybersecurity Threats

This section highlights some of the common cybersecurity threats faced by broker-dealers. In a number of cases, FINRA has observed that different types of attacks were coordinated and overlapped.

Phishing
Imposter Websites
Malware
Account Compromise or Takeover

Fraudulent Wires
Ransomware
Distributed Denial-of-Service (“DDoS”) Attacks
Vendor Breaches

Learn more about common cybersecurity threats

Events

2020 Cybersecurity Conference

January 14, 2020 • New York, NY
FINRA’s Cybersecurity Conference helps you stay current on today’s cybersecurity challenges and the ways in which organizations can understand vulnerabilities and threats, and create resilience against cyber attacks.

2019 Small Firm Conference

October 23 – 24, 2019 • Santa Monica, CA
The Small Firm Conference focuses on small firms’ practices and tips for complying with FINRA rules. Don't miss Thursday morning's panel entitled, "Cybersecurity Guidance for Small Firms."

Reports

2018 Report on Selected Cybersecurity Practices is a detailed review of effective information-security controls at securities firms. The report is designed to help broker-dealers – including small firms – further develop their cybersecurity programs. The report addresses areas that firms tend to find most challenging: cybersecurity controls in branch offices; methods of limiting phishing attacks; identifying and mitigating insider threats; elements of a strong penetration-testing program; and establishing and maintaining controls on mobile devices.

2015 Report on Cybersecurity Practices highlights effective practices that firms should consider to strengthen their cybersecurity programs. The observations and practices in the report are based on a variety of sources, including a sweep we conducted in 2014 of firms of varying sizes and business models, a 2011 survey of firms and interviews with other organizations involved in cybersecurity. As we note in the report, there is no one-size-fits-all approach to a cybersecurity infrastructure. Rather, the risk management-based approach that we discuss in the report enables firms to tailor their program to their particular circumstances.

Compliance Tools

Small Firm Cybersecurity Checklist
FINRA has created a Checklist for a Small Firm's Cybersecurity Program to assist small firms in establishing a cybersecurity program.

Compliance Vendor Directory (CVD)
In an effort to provide enhanced compliance tools and resources, FINRA has developed the Compliance Vendor Directory (CVD). The FINRA CVD is designed to give firms more options in locating vendors that provide compliance-related offerings, including cybersecurity vendors and services.

Core Cybersecurity Controls for Small Firms
Core Cybersecurity Controls for Small Firms is a list of core controls that are likely to be relevant to many small firms’ cybersecurity programs. This list was designed to help small firms in establishing an effective cybersecurity program.

Non-FINRA Resources
FINRA has assembled a list of non-FINRA cybersecurity resources that firms may use to manage their cybersecurity risk.

FINRA Rules Related to Cybersecurity

SEC Rules Related to Cybersecurity

248.201-202. Regulation S-ID: Identity Theft Red Flags
248.1-100. Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information
240.17a-4(f). The Securities Exchange Act of 1933 (17 CFR §240.17a-4(f)) requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format.

Regulatory Notice 20-13
FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19) Pandemic
Tue, 05/05/2020 - 12:00
Regulatory Notice 20-12
FINRA Warns of Fraudulent Phishing Emails Purporting to be from FINRA
Mon, 05/04/2020 - 12:00
Information Notice – 3/26/20
Cybersecurity Alert: Measures to Consider as Firms Respond to the Coronavirus Pandemic (COVID-19)
Thu, 03/26/2020 - 12:00
Information Notice – 10/2/19
Cybersecurity Alert: Cloud-Based Email Account Takeovers
Wed, 10/02/2019 - 12:00
Information Notice – 4/29/19
Imposter Websites Impacting Member Firms
Mon, 04/29/2019 - 12:00
Information Notice – 2/13/19
FINRA Warns of Fraudulent Phishing Emails Targeting Member Firms
Wed, 02/13/2019 - 12:00
Information Notice – 6/19/15
Distributed Denial of Service (DDoS) Attacks on Member Firms
Fri, 06/19/2015 - 12:00
Information Notice 2/9/12
FINRA Warns Firms of Hoax Emails That Purport to Be From Regulators
Wed, 02/29/2012 - 12:00
Regulatory Notice 12-05
Verification of Emailed Instructions to Transmit or Withdraw Assets From Customer Accounts
Thu, 01/26/2012 - 12:00
Notice to Members 05-48
Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers
Fri, 07/22/2005 - 12:00

Virtual Conference Panel
How to Protect Yourself and Your Firm From Cyberattacks When Working From Home During COVID-19
As we navigate the challenges posed by COVID-19 and the need to halt the spread of this pandemic, many of us are settling into a routine of working from home. Cybercriminals are alert to the work from home trend and they are using this to their advantage to infiltrate our organizations. Join FINRA staff and industry panelists as they provide examples of effective controls and tools their firms have put into place to monitor and address cybersecurity risks.
May 19, 2020
Guidance
Common Cybersecurity Threats
This article highlights some of the common cybersecurity threats faced by broker-dealers. In a number of cases, FINRA has observed that different types of attacks were coordinated and overlapped.
July 09, 2019
A Few Minutes With FINRA
A Few Minutes With FINRA: Report on Selected Cybersecurity Practices – 2018
FINRA’s Senior Vice President of Member Relations and Education Chip Jones, leads a discussion with Chief Information Security Officer John Brady, Senior Director Steve Polansky and Kansas City Surveillance Director Dave Kelley, on FINRA’s 2018 report on selected cybersecurity practices. The discussion includes an overview of the report, which highlights effective practices in five challenging areas that firms should consider to strengthen and further develop their cybersecurity programs—as well as core cybersecurity controls for small firms. (30 min. 17 sec.)
December 20, 2018
Compliance Tools
Cybersecurity Checklist
Protecting investors means protecting their data, too. Our Small Firm Cybersecurity Checklist supports small firms in establishing a cybersecurity program to:
July 12, 2018
Video
Cybersecurity Experts Gather for FINRA Conference
Cybersecurity experts and regulators gathered in New York City on February 22, 2018 to focus on key ways the financial services industry can maintain cybersecurity.
February 26, 2018
2017 Exam Findings Report
Cybersecurity
Cybersecurity is one of the principal operational risks facing broker-dealers. Recent revelations regarding successful attacks at a number of different entities underscore the need for firms to be vigilant in addressing cybersecurity threats.
December 01, 2017
A Few Minutes With FINRA
A Few Minutes with FINRA: Cybersecurity – Part III
Dave Kelley explains common cybersecurity program deficiencies related to vendor management, branch-level controls and data protection. (7 min. 45 sec.)
July 24, 2017
A Few Minutes With FINRA
A Few Minutes with FINRA: Cybersecurity – Part II
Dave Kelley talks about formalizing the oversight of a firm's cyber program and strengthening controls around access to data and systems. (6 min. 24 sec.)
July 17, 2017
A Few Minutes With FINRA
A Few Minutes with FINRA: Cybersecurity – Part I
Susan Axelrod and Dave Kelley discuss common deficiencies FINRA staff see during examinations of firm's cybersecurity programs. (6 min. 34 sec.)
July 10, 2017
Compliance Tools
Non-FINRA Cybersecurity Resources
FINRA has assembled a list of resources that firms may use to manage their cybersecurity risk. These resources include: news and analysis; effective practices and guidance; and free diagnostic tools...
October 25, 2016
Compliance Tools
Small Firm Cybersecurity Checklist
FINRA has created a checklist to assist small firms in establishing a cybersecurity program.
May 23, 2016
Targeted Examination Letter
Targeted Examination Letter on Cybersecurity
FINRA is conducting an assessment of firms’ approaches to managing cyber-security threats. FINRA is conducting this assessment in light of the critical role information technology (IT) plays in the securities industry, the increasing threat to firms’ IT systems from a variety of sources, and the potential harm to investors, firms, and the financial system as a whole that these threats pose.
January 01, 2014

FINRA Publishes Report on Selected Cybersecurity Practices – 2018
December 20, 2018
FINRA Fines 12 Firms a Total of $14.4 Million for Failing to Protect Records From Alteration
December 21, 2016
FINRA Fines Scottrade $2.6 Million for Significant Failures in Required Electronic Records and Email Retention
November 16, 2015
FINRA Issues Report on Cybersecurity Practices, Cybersecurity Investor Alert
February 03, 2015
FINRA Warns Investors of Email Hack Attacks
January 26, 2012
FINRA Warns Public of Scam Using Fake FINRA Emails in "Phishing" Scheme
October 05, 2009
FINRA Fines Centaurus Financial $175,000 for Failure to Protect Confidential Customer Information
April 28, 2009
FINRA Warns Job Seekers About Online Classifieds Scams Aimed at Identity Theft, Financial Fraud
May 12, 2008

Investor Education
5 Tips to Stay Safe Online This National Cybersecurity Awareness Month
These days, so much of our lives happen online. That makes cybersecurity more important than ever before. This National Cybersecurity Awareness Month, we’ve got five tips to help to stay safer and more secure online.
Investor Alert
Keeping Your Account Secure: Tips for Protecting Your Financial Information
Your brokerage firm has an obligation to safeguard your personal financial information. And every investor should take time to understand their firm’s cybersecurity procedures. But even the best procedures cannot prevent all instances of identity theft—especially if the vulnerability lies with you, the customer. Here are critical steps you can take to safeguard your financial accounts and help prevent identity theft.
Investor Alert
Cybersecurity and Your Brokerage Firm
Information technology (IT) plays a critical role in the securities industry. Unfortunately, cyber threats to the information and computer systems of brokerage firms are increasing, and with these threats comes the risk of potential harm to investors.
Investor Alert
"Phishing" and Other Online Identity Theft Scams: Don't Take the Bait
FINRA is updating this Alert to tell you about some of the latest online identify theft scams targeting financial sector customers and to provide tips for spotting and avoiding these scams.
Investor Alert
Email Hack Attack? Be Sure to Notify Brokerage Firms and Other Financial Institutions
FINRA has received an increasing number of reports involving investor funds being stolen by fraudsters who first gain access to the investor’s email account and then email instructions to the firm to transfer money out of the brokerage account. In addition to issuing a Regulatory Notice to firms, we are issuing this Alert to warn investors about the potential financial consequences of a compromised email account and to provide tips for safeguarding your assets.
Investor Alert
Beware of Online Job Classifieds Used to Steal Your Identity
In another variation of the identity theft tale, stock traders posing as employees of a made-up Latvian brokerage firm appear to have stolen personal information from individuals who thought they were applying for a job through the popular classifieds website, Craigslist (www.craigslist.org).
Investor Alert
Protect Your Online Brokerage Account: Safety Should Come First When Logging In and Out
The Internet and, more recently, wireless technology have made it easy for investors to check brokerage account information and initiate investment transactions on the go. We are issuing this Alert to warn investors to take precautions to help ensure the security of their brokerage accounts. Not doing so puts your account information and investments at risk.
Investor Education
Safeguarding Your Financial Information: An Identity Theft Prevention Checklist
Use this checklist to safeguard your sensitive information and help keep identity thieves at bay.

2017 Exam Findings Report
2018 Exam Findings Report
2019 Exam Findings Report
A Few Minutes With FINRA
About FINRA
Annual Regulatory and Examination Priorities Letters
Arbitration and Mediation
Blog Post
Board of Governors Meeting
Capital Market Insights
Careers
Communications to Firms
Compliance Tools
Conference Call
Content Hub
Content Outline
Continuing Education
Disciplinary Action Report
Election Notice
Email to Firms
Events & Training
Exemptive Letter
FAQ
Filing and Reporting
Financial Reports
FINRA's Financial Guiding Principles
FINRA360 Progress Report
Form
From Small Firm Advisory Board (SFAB)
Get Involved
Guidance
Hide From What's New
Information Notice
Interpretive Letter
Investor Alert
Investor Education
Investor Highlights
Investor Insights
Investor Resources
Key Topic
Manage Your Career
Market Integrity
Market Safety
Media Center
Monthly Disciplinary Actions
Neutral Corner
News Release
Notice
Notice to Members
Oversight & Enforcement
Podcast
Publication
Qualification Exam
Quarterly Disciplinary Review
Registration
Regulation and Compliance
Regulatory and Compliance Alerts (RCA)
Regulatory Notice
Report / Study
Report Card
Request for Comment
Responsible Citizenship
Rule
Rule Filing
Special Notice
Speech / Testimony
Targeted Examination Letter
Technical Documentation
Technical Notice
The Alert Investor
Trade Reporting Notice
Training
User Guide
Video
Virtual Conference Panel
Webinar

401(k)
403(b)
457
529 Prepaid Tuition Plans
529 Savings Plans
Accounts At Other Broker Dealers and Financial Institutions
Advertising Regulation
Agency Bonds
Algorithmic Trading
Alternative and Complex Products
Alternative Display Facility (ADF)
Annual Audit
Anti-Money Laundering
Arbitration and Mediation
Asset Backed Securities
Auction Rate Securities
Back testing
Bank Products
Best Execution
Best Practices
Block Chain / Distributed Ledger Technology
Blue Sheets
Bond Funds
Bond Mutual Fund Volatility/Risk Rating
Bonds
Books and Records
Branch Offices
Breakpoints
Broker Dealer Registration
Broker Migration
Broker-Dealer Recruitment Disclosures
Brokerage
BrokerCheck
Business Cards
Business Continuity Planning
Business Development Company (BDC)
Capital Acquisition Brokers
Capital Formation
Carrying Agreements
Cash Equivalents
Catastrophe Bonds
Central Registration Depository (CRD)
Certificates of Deposit (CDs)
Collateralized Mortgage Obligations (CMOs)
College Savings Plans
Commodities and Futures
Communications with the Public
Compensation
Compliance Resources
Comprehensive Automated Risk Data System (CARDS)
Conflicts of Interest
Consolidated Audit Trail (CAT)
Consolidated Reports
Continuing Education
Continuing Membership Applications
Continuing Membership Applications
Corporate Bonds
Corporate Financing
Correspondence
Coverdell Education Saving Accounts (ESAs)
COVID-19 / Coronavirus
Credit for Cooperation
Custodial Accounts (UGMA and UTMA)
Customer Account Statements
Customer Account Transfers
Customer Information Protection
Customer Orders
Cybersecurity
Day Trading
Deferred Annuities
Department of Labor
Derivatives and Other Balance Sheet Items (OBS)
Digital Experience Transformation (DXT)
Direct Participation Programs (DPPs)
E-Bill
Education
EFocus
Electronic Communications
Electronic Filing Requirements
Electronic Fingerprint Processing
Electronic Fingerprint Submission (EFS)
Enforcement
Enforcement Process
Engagement
Equities
Equity-Indexed Annuities
Essentials Exam
Event Linked Bonds
Exam Restructuring
Exams
Exchange Traded Funds (ETFs)
Expense Ratio
Expertise
Fee Disclosure
Fees
Filing Requirements
Financial and Operational Rules, Interpretations of
Financial Responsibility
Financial Stress Test
Fingerprints
FINRA Foundation
FINRA Logo
FINRA Membership/Name
FINRA360
FinTech
Firm Examination Program
Fixed Annuities
Fixed Income
Foreign Exchange Trading
Free Writing Prospectus
Funding and Liquidity
Funding Portals
Funds
GASB Accounts Support Fee
Generation X
Ghost-writing
Gifts and Gratuities
Governmental Accounting Standards Board (GASB)
Hedge Funds
High Risk Brokers
High Yield Bonds
High Yield Securities
Home Equity Funded Investments
Hyperlinks
Illiquid Investments
Indications of Interest
Individual Registration
Individual Retirement Accounts (IRAs)
Inexperienced
Information and Testimony Requests
Initial Public Offering (IPO)
Innovation
INSITE
Institutional Communications
Insurance
International and Emerging Market Bonds
Investment Analysis Tools
Investment Banking Referrals
Investment Products
Investors
Junk Bonds
Letterhead
Life Settlements
Limit Order
Linking to BrokerCheck
Margin Accounts
Margin Risk Disclosure
Mark-ups / Mark-Downs
Market Access
Market Order
Market Regulation
Market Transparancy
Materiality Consultation Process
Member Application Program
Mergers Acquisitions and Business Transfers
Military
Military Spouses
Millennials
Money Market Securities
Mortgage Backed Securities
Mortgages
Municipal Advisor Regulation
Municipal Fund Securities
Municipal Securities
Mutual Funds
National Adjudicatory Council (NAC)
National Cause and Financial Crimes Detection Programs (NCFC)
National Do-Not-Call Registry
National Market System Plans
Near Retirement
Negative Response Letters
Net Capital
New Account Process
New Firm Communications
New Investor
Non-cash Compensation
Office of Fraud Detection and Market Intelligence
Office of Hearing Officers (OHO)
Office of the Chief Economist
Office of the General Counsel
Office of the Whistleblower
Operations
Options
Options Exchange Filings
Order Audit Trail System (OATS)
Order Handling
OTC (ATS & Non-ATS) Transparency
OTC Bulletin Board (OTCBB)
Over-the-Counter Reporting Facility (ORF)
Oversight
Penny Stocks
Pre-investor
Preferred Securities
Principal Approval
Principal Protected Notes
Private Placements
Product Vetting
Professional Designations
Projections
Promissory Notes
Proprietary Trading
Public Disclosure Program
Public non-traded REITS
Public Offerings
Qualification Exams
Rankings
Real Estate Investment Trusts
Registered Investment Advisers (RIA)
Registration and Disclosure (RAD)
Regulation A Offerings
Regulation Best Interest (REG BI)
Regulation D Offerings
Regulation M
Regulation M Filings
Regulation NMS
Related Performance
Renewal Program
Reporting
Reprints
Research Analyst Rules
Research Disclosures
Research Reports
Retirement Savings Plans
Retrospective Rule Review
Reverse Convertible Notes (RCN)
Risk Management
Rule 4530 Reporting Requirements
Sales Practices
Sanction Guidelines
Savings Accounts
Securities Investor Protection Corporation - SIPC
Security Futures
SEC’s July 2013 Financial Responsibility Rule Amendments
Senior Designations
Senior Investors
Shareholder Reports
Short Interest Reporting
Short Selling
Social Media
Statutory Disqualification
Stocks
Structured Products
Subordination Agreements
Suitability
Supervision
Supplemental Statement of Income (SSOI)
Technology
Teens
Telemarketing
Television and Video
Templates
Tenants-in-Common Interests
Third Party Research
Thrift savings plan (TSP)
Tick Size Pilot Program
TRACE BTDS
Trade Reporting and Compliance Engine (TRACE)
Trade Reporting Facility (TRF)
Trading Activity Fee
Treasury Bills
Treasury Bonds
Treasury Inflation Protected Securities (TIPS)
Treasury Notes
U.S. Treasury Securities
Uniform Practice Code (UPC)
Update a Firm's Registration
Variable Annuities
Variable Life Insurance Products
VIX-Linked Products (Volatility Index)
Women