Non-FINRA Cybersecurity Resources
FINRA has assembled a list of resources that firms may use to manage their cybersecurity risk. These resources include:
- News and Analysis
- Effective Practices and Guidance
- Free Diagnostic Tools
- Governmental Resources
- Other Resources & Training
Use of any of these resources does not ensure compliance with FINRA’s cybersecurity rules and policies. FINRA does not endorse or guarantee any of the resources listed below.
News and Analysis
Krebs on Security is a cybersecurity blog that provides in-depth security news and investigation.
Verizon Data Breach Report
This report is a collection of real-world data breaches and information security incidents.
Privacy Rights Clearinghouse
Privacy Rights Clearinghouse is a non-profit organization that offers consumer information and advocacy programs bent on protecting privacy in the digital age.
Effective Practices and Guidance
CIS Critical Security Controls
The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to manage and reduce today's most pervasive and dangerous attacks.
Open Web Application Security Project (OWASP)
The OWASP is an organization focused on improving the security of software. OWASP provides impartial, practical information about application software security to individuals, corporations, universities, government agencies and other organizations worldwide.
SANS Security Resources
The SANS Security page provides a cybersecurity reading room with whitepapers on a wide array of cybersecurity topics, resources to support the development and implementation of information security policies, SANS Technology Institute research, Cybersecurity news and awareness material, and other useful resources.
SIFMA Cybersecurity Guidance for Small Firms
This guide builds upon the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework, which is derived from existing industry standards. Firms should apply the best practices in this guide in a risk-based, threat-informed approach based on the resources available and in support of their firm’s overall business model.
Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.
National Conference of State Legislatures (NCSL)
National Conference of State Legislatures (NCSL) provides general comparative information related to State Laws related Digital Privacy, Security Breach and Cybersecurity.
International Association of Privacy Professionals (IAPP)
The International Association of Privacy Professionals: Policy neutral, we are the world's largest information privacy organization.
National Cybersecurity Alliance (Cybersecurity Awareness)
The National Cyber Security Alliance is the nation's leading nonprofit, public-private partnership promoting cybersecurity and privacy education.
Free Diagnostic Tools
Cybersecurity Evaluation Tool (CSET)
The Cyber Security Evaluation Tool (CSET®) provides a systematic, disciplined, and repeatable approach for evaluating an organization’s security posture. CSET is a desktop software tool that guides asset owners and operators through a step-by-step process to evaluate industrial control system (ICS) and information technology (IT) network security practices. Users can evaluate their own cybersecurity stance using many recognized government and industry standards and recommendations.
CIS Controls Self-Assessment Tool (CIS CSAT)
The Center for Internet Security (CIS) developed a tool to help cybersecurity practitioners track and prioritize their implementation of the CIS Controls by using questions from the CIS Critical Security Control Manual Assessment Tool.
FBI Internet Crime Complaint Center (IC3)
The FBI is a federal investigative and intelligence unit agency with jurisdiction in a wider range of federal crimes; national security matters; cyber/computer crimes and intrusions; and intelligence activities that relate to those matters. Report Cybercrime
StopRansomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts helping public and private organizations defend against the rise of ransomware cases. Organizations are encouraged to use this new website to understand the threat of ransomware, mitigate risk, and in the event of an attack, know what steps to take next.
CISA is the Nation’s risk advisor, working with partners to defend against today’s threats and collaborating to build more secure and resilient infrastructure for the future.
DHS Department of Homeland Security
The Department of Homeland Security has a vital mission: to secure the nation from the many threats we face. This requires the dedication of more than 240,000 employees in jobs that range from aviation and border security to emergency response, from cybersecurity analyst to chemical facility inspector. Our duties are wide-ranging, and our goal is clear - keeping America safe.
Federal Trade Commission (Cybersecurity for Small Business)
Learn the basics for protecting your business from cyber attacks. The business cybersecurity resources in this section were developed in partnership with the National Institute of Standards and Technology, the U.S. Small Business Administration, and the Department of Homeland Security.
NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) has created a Cybersecurity Framework based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk. In addition, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.
The Federal Financial Institutions Examination Council (FFIEC) is a formal U.S. government interagency body composed of five banking regulators that is "empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions"
The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. Through knowledge sharing, capacity building and awareness raising, the Agency works together with its key stakeholders to strengthen trust in the connected economy, to boost resilience of the Union’s infrastructure, and, ultimately, to keep Europe’s society and citizens digitally secure.
The International Organization of Securities Commissions is an association of organizations that regulate the world's securities and futures markets. Members are typically primary securities and/or futures regulators in a national jurisdiction or the main financial regulator from each country.
Other Resources & Training
Financial Services Information Sharing and Analysis Center (FS-ISAC)
The FS-ISAC is a member-driven organization that shares threat and vulnerability information, conducts coordinated contingency planning exercises, manages rapid response communications for both cyber and physical events, conducts education and training programs, and fosters collaborations with and among other key sectors and government agencies.
Standard Information Gathering (SIG) Vendor Questionnaire
Shared Assessments provides its members with best practices, solutions and tools for third-party risk management. One of Shared Assessments’ key tools is the Standardized Information Gathering (SIG) questionnaire. This questionnaire can be used as part of a risk management review that is assessing a vendor’s cybersecurity controls along with the processes in place concerning privacy, data security, and business resiliency. The questionnaire is flexible and can be scaled up and down in scope and breadth of coverage. Organizations may utilize either the Lite, Core, or Full version of the SIG for their third-party vendor evaluations.
ISACA is an international professional association focused on IT governance. Audit and Control Association (ISACA) is an international professional association focused on IT governance.
The International Information System Security Certification Consortium, or (ISC)², is a non-profit organization which specializes in training and certifications for cybersecurity professionals. It has been described as the "world's largest IT security organization".
The International Association of Privacy Professionals (IAPP) is a nonprofit, non-advocacy membership association providing a forum for privacy professionals to share best practices, track trends, advance privacy management issues, standardize the designations for privacy professionals, provide education and guidance on career opportunities in the field of information privacy. The IAPP offers a full suite of educational and professional development services, including privacy training, certification programs, publications and annual conferences.
The SANS Institute is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for training include cyber and network defenses, penetration testing, incident response, digital forensics, and auditing.
Feel free to email us to provide feedback and suggestions to enhance this page.