Skip to main content

For updates and guidance related to COVID-19 / Coronavirus, click here.

Non-FINRA Cybersecurity Resources

FINRA has assembled a list of resources that firms may use to manage their cybersecurity risk. These resources include:

Use of any of these resources does not ensure compliance with FINRA’s cybersecurity rules and policies.  FINRA does not endorse or guarantee any of the resources listed below. 

News and Analysis

Brian Krebs  
Krebs on Security is a cybersecurity blog that provides in-depth security news and investigation.

DARKReading is a cybersecurity news site covering top stories in information security including new cyber threats, vulnerabilities and technology trends.

Verizon Data Breach Report
This report is a collection of real-world data breaches and information security incidents from 2018.

Effective Practices and Guidance

CIS Critical Security Controls
The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to manage and reduce today's most pervasive and dangerous attacks.

FBI Local Offices
The FBI has 56 field offices located in the US and Puerto Rico.  Find your local office from this site.

NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) has created a Cybersecurity Framework based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk.  In addition, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.

Open Web Application Security Project (OWASP)
The OWASP is an organization focused on improving the security of software. OWASP provides impartial, practical information about application software security to individuals, corporations, universities, government agencies and other organizations worldwide.

SANS Security Resources
The SANS Security page provides a cybersecurity reading room with whitepapers on a wide array of cybersecurity topics, resources to support the development and implementation of information security policies, SANS Technology Institute research, Cybersecurity news and awareness material, and other useful resources.

SIFMA Cybersecurity Guidance for Small Firms
This guide builds upon the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, which is derived from existing industry standards. Firms should apply the best practices in this guide in a risk-based, threat-informed approach based on the resources available and in support of their firm’s overall business model. 

Web Application Security Consortium (WASC)
The WASC is an organization that produces open source and widely agreed upon best-practice security standards for the World Wide Web.  WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. 

Free Diagnostic Tools

Baldrige Cybersecurity Excellence Builder 
This draft document from the National Institute of Standards and Technology (NIST) provides key questions for improving your organization’s cybersecurity performance.

FFIEC Cybersecurity Assessment Tool
The Federal Financial Institutions Exam Council (FFIEC) has developed a cybersecurity assessment tool to help financial institutions identify their risks and determine their cybersecurity preparedness.

Web Server Encryption Test
This free online service from Qualys SSL Labs performs a deep analysis of the communication security configuration of any secure web server on the Internet. 

CIS Controls Self-Assessment Tool (CIS CSAT)
The Center for Internet Security (CIS) developed a tool to help cybersecurity practitioners track and prioritize their implementation of the CIS Controls by using questions from the CIS Critical Security Control Manual Assessment Tool.

Other Resources

Financial Services Information Sharing and Analysis Center (FS-ISAC) 
The FS-ISAC is a member-driven organization that shares threat and vulnerability information, conducts coordinated contingency planning exercises, manages rapid response communications for both cyber and physical events, conducts education and training programs, and fosters collaborations with and among other key sectors and government agencies. 

Standard Information Gathering (SIG) questionnaire
Shared Assessments provides its members with best practices, solutions and tools for third-party risk management.  One of Shared Assessments’ key tools is the Standardized Information Gathering (SIG) questionnaire.  This questionnaire can be used as part of a risk management review that is assessing a vendor’s cybersecurity controls along with the processes in place concerning privacy, data security, and business resiliency. The questionnaire is flexible and can be scaled up and down in scope and breadth of coverage. Organizations may utilize either the Lite, Core, or Full version of the SIG for their third party vendor evaluations. For more information, visit the Shared Assessments website at

Feel free to email us to provide feedback and suggestions to enhance this page.