Given the evolving nature, increasing frequency, and mounting sophistication of cybersecurity attacks – as well as the potential for harm to investors, firms, and the markets – cybersecurity practices are a key focus for firms and FINRA.
FINRA evaluates firms’ approaches to cybersecurity risk management through reviews of their controls in areas including: technology governance, risk assessment, technical controls, access management, incident response, vendor management, data loss prevention, system change management, branch controls and staff training. Through these reviews, FINRA also assesses a firm’s ability to protect the confidentiality, integrity, and availability of sensitive customer information.
These pages are designed to assist a firm in building out its cybersecurity program by addressing the individual risks and discussing related controls needed to protect customer and firm confidential data. FINRA has updated this Cybersecurity page to include the following resources:
- In case of a Disruptive Attack or Breach
- Common Cybersecurity Threats
- Compliance Tools
- FINRA Cybersecurity Contact
In Case of a Disruptive Attack or Breach
Firms should get to know their local Federal Bureau of Investigation (FBI) and proactively plan for a cybersecurity attack or breach.
In case your firm is the victim of a disruptive attack or breach, for instance your data has been accessed or your customers cannot do business, you should immediately report the incident to your:
If you need RANSOMWARE assistance, one helpful resource is CISA’s Stop Ransomware!
Unsuccessful and successful cyber-related incidents could require that a SAR be filed, for more information visit The Financial Crimes Enforcement Network (FinCEN)’s guidance.
Common Cybersecurity Threats
This section highlights some of the common cybersecurity threats faced by broker-dealers. In a number of cases, FINRA has observed that different types of attacks were coordinated and overlapped.
- Imposter Websites
- Customer Account Takeover (ATO)
- Firm Account Compromise or Takeover
- Fraudulent Wires or ACH Transactions
- Distributed Denial-of-Service (“DDoS”) Attacks
- Vendor Breaches
Learn more about common cybersecurity threats
May 16-18 | Washington, DC| Hybrid Event
FINRA's premier event—the Annual Conference provides the opportunity for practitioners, peers and regulators to exchange ideas on today's most timely compliance and regulatory topics.
This one-day conference brings together regulators, thought leaders and industry practitioners to discuss the use of Cloud Computing, and related opportunities and challenges.
FINRA’s Cybersecurity Conference helps you stay current on today’s cybersecurity challenges and the ways in which organizations can understand vulnerabilities and threats, and create resilience against cyber attacks.
FINRA Small Firm Conference: Cybersecurity Straight Talk
It is crucial that small financial firms take proper cybersecurity measures to protect their clients and firm. Join FINRA staff and industry panelists as they discuss the “why” behind threat-informed effective practices applicable to small firms, and how they can fit cybersecurity into their already overloaded schedule.
Moderator: David (Dave) Kelley, FINRA Member Supervision
Panelists: Peter Falco, Financial Services Information Sharing and Analysis Center (FS-ISAC) Jennifer Szaro, CRCP®, XML Securities, LLC
June 23, 2021
Join FINRA cybersecurity leaders as they discuss the current state of cybersecurity and the ever-changing threat landscape. The conversation will focus on three facets of FINRA’s cybersecurity initiatives: how FINRA secures its own systems, unique security features of the Consolidated Audit Trail (CAT) system, and how FINRA supports member firms’ cybersecurity programs.
2022 Report on FINRA’s Examination and Risk Monitoring Program
The Cybersecurity and Technology Governance section of the 2022 Report on FINRA’s Risk Monitoring and Examination Activities (the Report) informs member firms’ compliance programs by providing annual insights from FINRA’s ongoing regulatory operations, including (1) relevant regulatory obligations and related considerations, (2) exam findings and effective practices, and (3) additional resources.
Small Firm Cybersecurity Checklist
FINRA has created a Checklist for a Small Firm's Cybersecurity Program to assist small firms in establishing a cybersecurity program.
Compliance Vendor Directory (CVD)
In an effort to provide enhanced compliance tools and resources, FINRA has developed the Compliance Vendor Directory (CVD). The FINRA CVD is designed to give firms more options in locating vendors that provide compliance-related offerings, including cybersecurity vendors and services.
Core Cybersecurity Threats and Effective Controls for Small Firms
This tool helps small firms enhance their customer information protection, and cybersecurity written supervisory programs and related controls by (1) highlighting the most common and recent categories of cybersecurity threats; (2) providing a summary of effective core controls; and (3) listing relevant terms and additional resources.
Report on Selected Cybersecurity Practices
The Report on Selected Cybersecurity Practices – 2018 is a detailed review of effective information-security controls at securities firms. The report is designed to help broker-dealers – including small firms – further develop their cybersecurity programs. The report addresses areas that firms tend to find most challenging: cybersecurity controls in branch offices; methods of limiting phishing attacks; identifying and mitigating insider threats; elements of a strong penetration-testing program; and establishing and maintaining controls on mobile devices.
Report on Cybersecurity Practices
In 2014 and 2011, FINRA reviewed firms' cybersecurity practices to better understand the types of cybersecurity threats firms face and how they counter these threats. This report highlights effective practices in the industry and discusses a risk management-based approach to cybersecurity.
FINRA has assembled a list of industry and governmental cybersecurity resources that firms may use to manage their cybersecurity risk.