For updates and guidance related to COVID-19 / Coronavirus, click here.
Given the evolving nature, increasing frequency, and mounting sophistication of cybersecurity attacks – as well as the potential for harm to investors, firms, and the markets – cybersecurity practices are a key focus for firms and FINRA.
FINRA evaluates firms’ approaches to cybersecurity risk management through reviews of their controls in areas including: technology governance, risk assessment, technical controls, access management, incident response, vendor management, data loss prevention, system change management, branch controls and staff training. Through these reviews, FINRA also assesses a firm’s ability to protect the confidentiality, integrity, and availability of sensitive customer information.
These pages are designed to assist a firm in building out its cybersecurity program by addressing the individual risks and discussing related controls needed to protect customer and firm confidential data. FINRA has updated this Cybersecurity page to include the following resources:
- In Case Of A Disruptive Attack or Breach
- Common Cybersecurity Threats
- Compliance Tools
- FINRA Cybersecurity Contact
In Case of a Disruptive Attack or Breach
Firms should get to know their local Federal Bureau of Investigation (FBI) and proactively plan for a cybersecurity attack or breach.
In case your firm is the victim of a disruptive attack or breach, for instance your data has been accessed or your customers cannot do business, you should immediately report the incident to your:
Common Cybersecurity Threats
This section highlights some of the common cybersecurity threats faced by broker-dealers. In a number of cases, FINRA has observed that different types of attacks were coordinated and overlapped.
- Imposter Websites
- Account Compromise or Takeover
- Fraudulent Wires
- Distributed Denial-of-Service (“DDoS”) Attacks
- Vendor Breaches
January 14, 2020 • New York, NY
FINRA’s Cybersecurity Conference helps you stay current on today’s cybersecurity challenges and the ways in which organizations can understand vulnerabilities and threats, and create resilience against cyber attacks.
October 23 – 24, 2019 • Santa Monica, CA
The Small Firm Conference focuses on small firms’ practices and tips for complying with FINRA rules. Don't miss Thursday morning's panel entitled, "Cybersecurity Guidance for Small Firms."
2018 Report on Selected Cybersecurity Practices is a detailed review of effective information-security controls at securities firms. The report is designed to help broker-dealers – including small firms – further develop their cybersecurity programs. The report addresses areas that firms tend to find most challenging: cybersecurity controls in branch offices; methods of limiting phishing attacks; identifying and mitigating insider threats; elements of a strong penetration-testing program; and establishing and maintaining controls on mobile devices.
2015 Report on Cybersecurity Practices highlights effective practices that firms should consider to strengthen their cybersecurity programs. The observations and practices in the report are based on a variety of sources, including a sweep we conducted in 2014 of firms of varying sizes and business models, a 2011 survey of firms and interviews with other organizations involved in cybersecurity. As we note in the report, there is no one-size-fits-all approach to a cybersecurity infrastructure. Rather, the risk management-based approach that we discuss in the report enables firms to tailor their program to their particular circumstances.
Small Firm Cybersecurity Checklist
FINRA has created a Checklist for a Small Firm's Cybersecurity Program to assist small firms in establishing a cybersecurity program.
Compliance Vendor Directory (CVD)
In an effort to provide enhanced compliance tools and resources, FINRA has developed the Compliance Vendor Directory (CVD). The FINRA CVD is designed to give firms more options in locating vendors that provide compliance-related offerings, including cybersecurity vendors and services.
Core Cybersecurity Controls for Small Firms
Core Cybersecurity Controls for Small Firms is a list of core controls that are likely to be relevant to many small firms’ cybersecurity programs. This list was designed to help small firms in establishing an effective cybersecurity program.
FINRA has assembled a list of non-FINRA cybersecurity resources that firms may use to manage their cybersecurity risk.
FINRA Rules Related to Cybersecurity
- 3110. Supervision
- 3120. Supervisory Control System
- 4530(b). Reporting Requirements
- Supplementary Material 4530.01. Reporting of Firms' Conclusions of Violations
SEC Rules Related to Cybersecurity
- 248.201-202. Regulation S-ID: Identity Theft Red Flags
- 248.1-100. Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information
- 240.17a-4(f). The Securities Exchange Act of 1933 (17 CFR §240.17a-4(f)) requires firms to preserve electronically stored records in a non-rewriteable, non-erasable format.
- FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19) Pandemic
- FINRA Warns of Fraudulent Phishing Emails Purporting to be from FINRA
- Cybersecurity Alert: Measures to Consider as Firms Respond to the Coronavirus Pandemic (COVID-19)
- Cybersecurity Alert: Cloud-Based Email Account Takeovers
- Imposter Websites Impacting Member Firms
- FINRA Warns of Fraudulent Phishing Emails Targeting Member Firms
- Distributed Denial of Service (DDoS) Attacks on Member Firms
- FINRA Warns Firms of Hoax Emails That Purport to Be From Regulators
- Verification of Emailed Instructions to Transmit or Withdraw Assets From Customer Accounts
- Members' Responsibilities When Outsourcing Activities to Third-Party Service Providers
- Virtual Conference PanelAs we navigate the challenges posed by COVID-19 and the need to halt the spread of this pandemic, many of us are settling into a routine of working from home. Cybercriminals are alert to the work from home trend and they are using this to their advantage to infiltrate our organizations. Join FINRA staff and industry panelists as they provide examples of effective controls and tools their firms have put into place to monitor and address cybersecurity risks.May 19, 2020
This article highlights some of the common cybersecurity threats faced by broker-dealers. In a number of cases, FINRA has observed that different types of attacks were coordinated and overlapped.July 09, 2019
- A Few Minutes With FINRAFINRA’s Senior Vice President of Member Relations and Education Chip Jones, leads a discussion with Chief Information Security Officer John Brady, Senior Director Steve Polansky and Kansas City Surveillance Director Dave Kelley, on FINRA’s 2018 report on selected cybersecurity practices. The discussion includes an overview of the report, which highlights effective practices in five challenging areas that firms should consider to strengthen and further develop their cybersecurity programs—as well as core cybersecurity controls for small firms. (30 min. 17 sec.)December 20, 2018
- Compliance Tools
Protecting investors means protecting their data, too. Our Small Firm Cybersecurity Checklist supports small firms in establishing a cybersecurity program to:July 12, 2018
- VideoCybersecurity experts and regulators gathered in New York City on February 22, 2018 to focus on key ways the financial services industry can maintain cybersecurity.February 26, 2018
- 2017 Exam Findings ReportCybersecurity is one of the principal operational risks facing broker-dealers. Recent revelations regarding successful attacks at a number of different entities underscore the need for firms to be vigilant in addressing cybersecurity threats.December 01, 2017
- A Few Minutes With FINRADave Kelley explains common cybersecurity program deficiencies related to vendor management, branch-level controls and data protection. (7 min. 45 sec.)July 24, 2017
- A Few Minutes With FINRADave Kelley talks about formalizing the oversight of a firm's cyber program and strengthening controls around access to data and systems. (6 min. 24 sec.)July 17, 2017
- A Few Minutes With FINRASusan Axelrod and Dave Kelley discuss common deficiencies FINRA staff see during examinations of firm's cybersecurity programs. (6 min. 34 sec.)July 10, 2017
- Compliance ToolsFINRA has assembled a list of resources that firms may use to manage their cybersecurity risk. These resources include: news and analysis; effective practices and guidance; and free diagnostic tools...October 25, 2016
- Compliance ToolsFINRA has created a checklist to assist small firms in establishing a cybersecurity program.May 23, 2016
- Targeted Examination LetterFINRA is conducting an assessment of firms’ approaches to managing cyber-security threats. FINRA is conducting this assessment in light of the critical role information technology (IT) plays in the securities industry, the increasing threat to firms’ IT systems from a variety of sources, and the potential harm to investors, firms, and the financial system as a whole that these threats pose.January 01, 2014
- December 20, 2018
- December 21, 2016
- FINRA Fines Scottrade $2.6 Million for Significant Failures in Required Electronic Records and Email RetentionNovember 16, 2015
- February 03, 2015
- January 26, 2012
- October 05, 2009
- April 28, 2009
- May 12, 2008
- Investor EducationThese days, so much of our lives happen online. That makes cybersecurity more important than ever before. This National Cybersecurity Awareness Month, we’ve got five tips to help to stay safer and more secure online.
- Investor AlertYour brokerage firm has an obligation to safeguard your personal financial information. And every investor should take time to understand their firm’s cybersecurity procedures. But even the best procedures cannot prevent all instances of identity theft—especially if the vulnerability lies with you, the customer. Here are critical steps you can take to safeguard your financial accounts and help prevent identity theft.
- Investor AlertInformation technology (IT) plays a critical role in the securities industry. Unfortunately, cyber threats to the information and computer systems of brokerage firms are increasing, and with these threats comes the risk of potential harm to investors.
- Investor AlertFINRA is updating this Alert to tell you about some of the latest online identify theft scams targeting financial sector customers and to provide tips for spotting and avoiding these scams.
- Investor AlertFINRA has received an increasing number of reports involving investor funds being stolen by fraudsters who first gain access to the investor’s email account and then email instructions to the firm to transfer money out of the brokerage account. In addition to issuing a Regulatory Notice to firms, we are issuing this Alert to warn investors about the potential financial consequences of a compromised email account and to provide tips for safeguarding your assets.
- Investor AlertIn another variation of the identity theft tale, stock traders posing as employees of a made-up Latvian brokerage firm appear to have stolen personal information from individuals who thought they were applying for a job through the popular classifieds website, Craigslist (www.craigslist.org).
- Investor AlertThe Internet and, more recently, wireless technology have made it easy for investors to check brokerage account information and initiate investment transactions on the go. We are issuing this Alert to warn investors to take precautions to help ensure the security of their brokerage accounts. Not doing so puts your account information and investments at risk.
- Investor EducationUse this checklist to safeguard your sensitive information and help keep identity thieves at bay.