Smallfirm Cybersecurity Checklist

CYBERSECURITY
Checklist for a Small Firm's Cybersecurity Program
Firm Name:
Person(s) Responsible for Cybersecurity Program:
Last Date Reviewed:
Key Personnel:
Firm's IT Consultant:
Last Updated: (FINRA's last update) Version 1.3 June 2023

June 2023 updates
- Updated existing links to include latest version of content in 'Overview' and 'Resources' tabs
- Added the link to FINRA cybersecurity Guidance, Rules and Notices under 'FINRA Resources'
- Added the FINCEN link for SAR reporting under 'Others' in the 'Resources' tab
- Added the term "Supply Chain Vendor" to Section 3 on Third Party Vendor
- Updated Section 7 to include "Branch Rep" and added "non-firm issued" to question (3)
- Updated Section 9 to align with Risk Assessment which is more aligned to small firms than Penetration Testing
- Added some additional items and questions to consider while completing Sections 3
Cybersecurity Checklist Version 1.2 June 2020 Release Notes:

-Added new links and updated some links to Overview and Resources tabs
-Updated existing links to include the latest version of content in Overview and Resources tabs
Important:
Legend for Text Entry Fields

Enter Free Text
Cybersecurity is broadly defined as the protection of investor and firm information and systems (collectively, "assets") from compromise through the use—in whole or in part—of Pre-Populated Fields
information technology. Compromise refers to a loss of data confidentiality, integrity or availability. This checklist is designed to assist small member firms with limited resources
to establish and maintain a cybersecurity program to identify and assess cybersecurity threats, protect assets from cyber intrusions [and unauthorized access], detect when their Choose from Drop Down List
systems and assets have been compromised, plan for the response when a compromise occurs and implement a plan to recover lost, stolen or unavailable assets. This checklist is Locked Down Fields
primarily derived from the National Institute of Standards and Technology (NIST) Cybersecurity Framework and FINRA’s Reports on Cybersecurity Practices (Please consult the Insert Rows
Resources tab for in-depth discussion on the subjects listed herein).
Using this checklist is optional, and it is not meant to be exhaustive. Firms may choose to develop or use their own checklist, borrow sections from this checklist to include in their
own checklist, or use a different resources (e.g., SIFMA’s small firm check list, NIST guidance, or the SEC's Securities and Exchange Commission’s guidance). There is no one-size-
fits-all cybersecurity program. Firms should tailor their cybersecurity program in a way that best suits their business model and adapt this checklist and other resourcesit to reflect
their particular business, products, customer base and risks. Use of this checklist does not create a "safe harbor" with respect to FINRA rules, federal or state securities laws, or
other applicable federal or state regulatory requirements.
Note that in March 2023, the Securities and Exchange Commission (SEC) proposed a new rule, form, and related amendments that would require specified entities, including
broker-dealers, to address their cybersecurity risks. If the proposal is adopted, broker-dealer members would have new cybersecurity risk managment requirements.
Methodology:
Using this checklist, firms will identify and inventory their information assets, assess the adverse impact to customers and the firm if the assets were compromised, and assign a
risk level based on this assessment. Firms will identify potential protections and processes to secure the assets, and make a risk-based determination, considering their resources,
the consequences of a potential breach and available protections and safeguards, on how to address the identified risks. Firms may decide to remediate or address some high-
level risk impact vulnerabilities or they may decide that the threat is a low-level risk impact which they can accept. Firms should consider articulating why they decided to
remediate or chose not to remediate identified risks. Because of the importance of protecting information assets, senior executives should be informed of the identified risks and
weigh in on determinations on how to best allocate firm resources in order to address those risks. See questions in the "Procedures for completing this checklist" section below.
Assistance:
At small firms, one person may be responsible for many functions, such as operations, compliance and legal. In some cases, the primary person working on compliance programs
may not be a technology expert, and he or she may not understand the technology at issue or terms used in this checklist. In this instance, the firm may consider enlisting outside
technology help, industry trade associations or other peer groups, their vendors or their FINRA Risk Monitoring Analyst to understand the information discussed in this checklist.
However, firms are ultimately responsible for their compliance and should not assume that others, such as clearing firms or outside vendors, are responsible for preventing or
reacting to a cybersecurity incident. If you have any questions or issues with this checklist, please contact CAU@finra.org.
Using Excel:
This checklist is in Excel format and uses Excel formulas. The person completing this checklist should have a basic knowledge of Excel. There are many helpful video tutorials on
Excel available on YouTube for those who may need assistance with how to use Excel.
Please note: If you need to insert a new row in Section 1, you will also need to insert rows on the other Sections and copy the pre-existing formulas into the newly inserted cells.
CYBERSECURITY
Checklist for a Small Firm's Cybersecurity Program
Firm Name:
Person(s) Responsible for Cybersecurity Program:
Last Date Reviewed:
Key Personnel:
Firm's IT Consultant:
Procedure for completing this checklist:
Review the five questions below and based upon your answers, complete the sections (12 tabs total) applicable to your business. The five core sections of the checklist follow the
NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover.
Questions about your firm's assets and systems:
1) Does your firm store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial
records) electronically?
If you answer yes to question 1, you will fill out the following sections of the Cybersecurity Checklist:
Section 1 - Identify and Assess Risks: Inventory

Section 2 - Identify and Assess Risks: Minimize Use
Section 4 - Protect: Information Assets
Section 6 - Protect: Encryption
Section 8 - Protect: Controls and Staff Training
Section 9 - Detect: Risk Assessment
Section 10 - Detect: Intrusion
Section 11 - Response Plan
2) Does your firm transmit PII or firm sensitive information to a third party or otherwise allow access to PII or firm sensitive information by a third party?
If you answer yes to question 2, you will fill out:
Section 3 - Identify and Assess Risks: Third Party Access
3) Does your firm have assets that if lost or made inoperable would impact your firm's operations (e.g., trading or order management systems)?

Section 5 - Protect: Systems Assets
4) Do your firm's employees (or independent contractors) maintain non-firm issued devices (e.g., server, storage, etc.) that access or store PII or firm sensitive information?
Section 7 - Protect: Employee Devices
5) If your firm's systems, PII or firm sensitive information were made inoperable or stolen, would your firm need to recover them to conduct business?
Section 12 - Recovery
For questions: please email: cybertech@finra.org

How to print current section (tab):
From the top left, click File, then click Print, then under Setting, select Print Active Sheets, then click Print
How to print all sections (Entire Workbook):

From the top left, click File, then click Print, then under Setting, > Print Active Sheets, select Print Entire Workbook, then click
Print
How to save my excel file:

From top left, click File, then click Save As, select a location to save, type in selected file name, then click Save
Password for locked tab: cyber

Helpful Links:
FINRA Resources:
FINRA's Report on Cybersecurity Practices-2018
FINRA’s Report on Cybersecurity Practices-2015
FINRA List of Common Cybersecurity Threats
FINRA's Core Cybersecurity Controls for Small Firms
FINRA Firm Checklist for Compromised Accounts
FINRA Rules - Cybersecurity Overview
FINRA - Rules - Guidance - Notices
Relevant Notices
Imposter Websites Impacting Member Firms
Cybersecurity Alert: Cloud-Based Email Account Takeovers
FINRA Alerts Firms to Increased Ransomware Risks - Notice 22-29
FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors - Notice 21-29
Rule 6439 Governing Operation of Inter-dealer Quotation Systems - Notice 21-28
FINRA Alerts Firms to Recent Increase in ACH “Instant Funds” Abuse - Notice 21-14
Others:
Center for Internet Security website
NIST Small Business Cybersecurity Corner
NIST Framework Version 1.1
Center for Internet Security - Top 20 CIS Controls & Resources
FFIEC - Cybersecurity Assessment Tool
Homeland Cybersecurity Evaluation Tool for Self Assessment
CSIS -Controlled Use of Administrative Privileges
SysAdmin Audit Network and Security (SANS.Org)
Compilation of States Security Breach Notification Laws
FBI Contact List
Secret Service Contact List
FINCEN - SAR Reporting of Cybersecurity Events
Section 1 - Identify and Assess Risks-Inventory
Personally Identifiable information, NIST’s Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (see pages 2-1 and 2-2)
Inventory of PII and Firm Sensitive Information, please see FINRA’s Report on Cybersecurity Practices - 2015 (see pages 12-13)
Asset Inventory, please see FINRA's Report on Selected Cybersecurity Practices - 2018 (see page 3)
Section 2 - Identify and Assess Risks-Minimize Use

Minimizing Collection of PII, NIST’s Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (see pages 4-3)
Risk Assessment, please see FINRA's Report on Cybersecurity Practices - 2015 (see pages 12-15)
Section 3 - Identify and Assess Risks-Third Party

Vendor Management, FINRA’s Report on Cybersecurity Practices (see pages 26-30)
AICPA Reporting on Controls at Service Organization (SSAE 18)
2020 Standardized Information Gathering (SIG) Tools (Questionnaire firms can use for collecting information on vendors
Insider Threats, please see FINRA's Report on Selected Cybersecurity Practices - 2018 (see pages 8-12)
Section 4 - Protect-Information Assets

NIST's Guide to Malware Incident Prevention and Handling (see sections 3 & 4)
Technical Controls, please see FINRA's Report on Selected Cybersecurity Practices - 2018 (see pages 16-22)
Section 5 - Protect-System Assets

Identifying Critical Assets to Protect, FINRA’s Report on Cybersecurity Practices for a discussion on conducting the inventory (see page 12)
Section 6 - Protect-Encryption
Understanding Encryption, FINRA’s Report on Cybersecurity Practices (see pages 20-21)
Data Loss Prevention, please see FINRA's Report on Selected Cybersecurity Practices - 2018 (see page 11)
Section 7 - Protect-Employees Devices

Securing Mobile Devices, SANS Institute on Cybersecurity The Critical Security Controls for Effective Cyber Defense Version 5.0 (see page 19)
Mobile Devices, please see FINRA's Report on Selected Cybersecurity Practices - 2018 (see pages 14-16)
Section 8 - Protect- Controls and Staff Training

Vendor Management, FINRA’s Report on Cybersecurity Practices (see pages 31-33)
Staff Training, FINRA's Report on Cybersecurity Practices - 2015 (see pages 31-33)
Section 9 - Detect-Penetration Testing

Conducting Penetration Testing, NIST’s Technical Guide to Information Security Testing and Assessment
FINRA’s Report on Cybersecurity Practices (see pages 21-22)
Penetration Testing, please see FINRA's Report on Selected Cybersecurity Practices - 2018 (see pages 13-14)
Section 10 - Detect-Intrusion
NIST's Guide to Intrusion Detection and Prevention Systems (IDPS) final version
Security Information and Event Management (SIEM) and User and Entity Behavioral Analytic (UEBAQ) Tools, FINRA's Report on Selected Cybersecurity Practices - 20
Section 11 - Response Plan

Issues to Consider when Developing a Response Plan, FINRA’s Report on Cybersecurity Practice (see pages 23-25)
Incident Response Planning, FINRA's Report on Cybersecurity Practices - 2015 (see pages 23-25)
Section 12 - Recovery
Eradication of Cyber breach and Recovery, NIST’s Computer Security Incident Handling Guide (see pages 35-37)
Incident Response Planning, FINRA's Report on Cybersecurity Practices - 2015 (see pages 23-25)
If your answer to the following question is YES, complete this tab (Section 1):
1) Does your firm store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive
information (e.g., financial records) electronically?
Section 1- Identify and Assess Risks: Inventory (Definitions provided below in rows 21-36)
***Risk Severity Level
*Description of PII or Firm Sensitive Data **Location (e.g., Network Drive, Systems Folder, Email) (H/M/L)
Group Level Example: Customer Account Information Network Drive High
Granular Example: Customer SS# G Drive High
Definitions:
Where is personally identifiable information (PII) or firm sensitive information located on your firm's systems or other electronic storage (include your branch
offices and unregistered locations)?
* PII or Firm Sensitive Information – includes name, social security number, date and place of birth, mother’s maiden name, or financial records including
customer accounts and holding information. Firm sensitive information can include data such as contact address information, email addresses, marketing
plans, employee information, financial records, and tax filings, etc. Firms can list data at a group level such as customer account information, or at the
granular level such as social security number, customer name, date of birth, etc.
** Location – where the electronic information information is stored, such as on a network drive, system folder, laptop or email. If the same data is stored in
more than one location, complete a separate entry for each location.
*** Risk Severity Level – Assign a risk severity classification to the data (e.g., low, medium or high). There is no one-size-fits-all way to assign risk severity, but
a firm may consider the severity of the impact to customers and the firm if the PII or firm sensitive data were compromised.
Directions on inserting new rows:

Select a row in orange and right-click on the row number; choose "Insert." If you insert row(s) on Section 1, remember to also insert row(s) for Sections 2, 4,
6, and Summary. Once you have inserted the row(s) in Sections 2, 4, 6, and Summary, you will need to copy the formula from that Section into the newly
created row(s). Do this by right-clicking on an existing row and choosing copy, then selecting the new row(s) and right-clicking and choosing paste. If you
have any questions feel free to email us at cybertech@finra.org.
1) Does your firm store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial records) electronically?
Section 2- Identify and Assess Risks: Minimize Use (See more details below in rows 21-29)
** Business objective can be ***Remediation Needed?

Location (e.g., Network *Business objective accomplished without data
Risk Severity Level
PII or Firm Sensitive Data Drive, Systems Folder, can be met without being output or shared with
(H/M/L)
Email) data (Y/N)? other internal systems or
people (Y/N)? Remediation
Yes/No Remediation Steps Status
Group Level Example: Customer Account

Information Network Drive High No N/A
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
Have you taken steps to minimize the use and proliferation of PII or firm sensitive data?
* Business objective can be met without data – One way to mitigate risk is to remove the PII or firm sensitive data from your systems and networks. Consider whether your firm can do its business without storing the PII
or firm sensitive information in the system or network location. When removing data from your firm's systems and networks, keep in mind any books and records obligations that may apply to this data.
** Sharing data – Consider how the PII or firm sensitive data is shared, identify people or systems that do not require access to the data, and consider limiting access to this data to those who need it.
*** Remediate – If you determine that there is no business purpose to store or share the PII or firms sensitive information, you may remediate by either removing the data from the location or not sharing it. When
removing data from your systems and networks, keep in mind any books and records obligations that may apply to this data. If the firm is required to store and share the data, consider the risk severity of the data being
compromised and consider whether a business practice could be changed to mitigate the risk (e.g., if a business process involves using a customer’s social security number, change the process to use another customer
specific identifier rather than the social security number).

Select a row in orange and right-click on the row number; choose "Insert." If you insert row(s) on Section 1, remember to also insert row(s) for Sections 2, 4, 6, and Summary. Once you have inserted the row(s) in Sections
2, 4, 6, and Summary, you will need to copy the formula from that Section into the newly created row(s). Do this by right-clicking on an existing row and choosing copy, then selecting the new row(s) and right-clicking and
choosing paste. If you have any questions feel free to email us at cybertech@finra.org.
2) Does your firm transmit PII or firm sensitive information to a third party, or otherwise allow access to PII or firm sensitive information by a third party or supply chain vendor?
Section 3- Identify and Assess Risks: Third Party or Supply Chain Vendor (See more details below in rows 21-35)
**PII or Firm Sensitive ^ Have you assessed the ^^ Are there controls in
*Name of Third-Party ****Is it necessary for the Third- Third-Party Organization or place to isolate Third- ^^^ Remediation Needed?
Organization or *****Supply Data transmitted to Third- ***Risk Severity Party Organization or SCV to SCV to ensure that they have Party /SCV Connections
Party Organization/SCV Level
Chain Vendor (SCV) (Y/N)? access the data transmitted (Y/N)? effective security practices from your critical assets
(Y/N)? (Y/N)?
Remediation
Bank
Clearing Firm
^ Have you assessed the ^^ Are there controls in

**PII or Firm Sensitive ^^^ Remediation Needed?
*Name of Third-Party Data transmitted to Third- ***Risk Severity ****Is it necessary for the Third- Third-Party Organization or place to isolate Third-
Organization or *****Supply Party Organization or SCV to SCV to ensure that they have Party /SCV Connections
Chain Vendor (SCV) Party Organization/SCV Level access the data transmitted (Y/N)? effective security practices from your critical assets
(Y/N)?
(Y/N)? (Y/N)?
Remediation
Third-Party Risk Management: Does your firm transmit PII or firm sensitive information to a third party, or otherwise allow access to PII or firm sensitive information by a third party? (e.g., vendors, clearing firm, supply chain, customers, etc.)?
* Name of Third-Party – Corporation or individual’s name including supply chain vendors.

** PII or Firm Sensitive Information Transmitted – Answer "yes" if the third party receives or has access to PII or firm sensitive information.
*** Risk Severity Level – For each third party organization or supply chain vendor, assign a risk level. Assign a risk severity classification to the data transmitted (e.g., low, medium or high). There is no one-size-fits-all way to assign risk severity, but a firm
may consider the severity of the impact to customers and the firm if the data being transmitted to the third party organization were compromised.
**** Is it necessary for the third-party organization to access the data transmitted – Assess whether the third party requires the information it can access for a business purpose.
^ Third-Party Security – If the third party has access to PII or firm sensitive information, take steps to consider the security of the third-party’s systems. In the absence of an ability to make an assessment, attempt to obtain a reliable assessment of the
third-party’s security protections, such as its most recent SSAE 18 report. The SSAE 18 report is an internal control report on the services provided by a service organization providing valuable information that can be used to assess and address the risks
associated with an outsourced services.
^^ Isolate – Consider if the third party access to information is limited to information it requires for business reasons; and the third party should be prohibited from accessing other information.
^^^ Remediate – Consider the risk severity level and resources and make a risk assessment of whether any remediation is necessary, such as denying access to the third party, conducting a security review of the third party, or isolating the third party’s
access to information it needs for a business purpose.
***** Supply Chain Vendor (SCV) – supplier, vendor, provider of services or goods that sell goods or services to the next link in the chain that the firm indirectly relies on.
Select a row in orange and right-click on the row number; choose "Insert." If you insert row(s) on Section 1, remember to also insert row(s) for Sections 2, 4, 6, and Summary. Once you have inserted the row(s) in Sections 2, 4, 6, and Summary, you will
need to copy the formula from that Section into the newly created row(s). Do this by right-clicking on an existing row and choosing copy, then selecting the new row(s) and right-clicking and choosing paste. If you have any questions feel free to email us
at cybertech@finra.org.

(Y/N)?
(Y/N)? (Y/N)?
Remediation
Manage Vendors and Customer Access Checklist
Remediation Needed?
Activity Yes/No Yes/No Remediation Steps Remediation Status
Pre-contract due diligence on

vendors
Ongoing due diligence of existing

vendors
Assure vendor only has access to

parts of system it needs
Ex-vendors/customers' access
terminated immediately
Customer's access is limited to

customer's data
Does Contract Address (Y/N):
Non-disclosure agreements and

confidentiality agreements
Data storage, retention, delivery,

and encryption
Breach notifications
Right-to-audit clauses
Vendor employee access

limitations
Use of subcontractors
Vendor obligation upon contract

termination

(Y/N)?
(Y/N)? (Y/N)?
Remediation
Security processes initiated by

the vendor (e.g., acquire copy of
SSAE 18 Report-Reporting on
Controls at a Service
Organization)
VENDOR MANAGEMENT (including Supply Chain Vendor (SCV):
Member firms – including small firms – have increasingly leveraged vendors to implement systems and perform key functions (e.g., customer
relationship management systems, clearing arrangements, account statement generation) and often contract with Managed Service Providers
(MSPs) and Managed Security Service Providers (MSSPs), respectively, to oversee their IT infrastructure and cybersecurity programs. Relying on
vendors may help small firms reduce operating costs, improve efficiency and concentrate on core broker-dealer operations. However, due to the
recent increase in the number and sophistication of cyberattacks, FINRA reminds firms of their obligations to oversee, monitor and supervise
cybersecurity programs and controls provided by third-party vendors. Firms may want to consider asking the following questions, where applicable,
with respect to how they select, conduct due diligence on and document relationships with cybersecurity vendors:
• Does your firm have a process for its decision-making on outsourcing, including the selection of cybersecurity vendors? Does this process engage
key internal stakeholders and consider the impact of such outsourcing on its ability to comply with federal securities laws and regulations, and
FINRArules?
• Does your firm implement risk-based due diligence on vendors’ cybersecurity practices critical to managing risks present in a firm’s environment,
including the ability to protect sensitive firm and customer non-public information?
• Does your firm document relationships with vendors in written contracts that clearly define all parties’ roles and responsibilities related to
cybersecurity, such as evidencing compliance with federal and state securities laws and regulations, and FINRA rules; protection of sensitive firm
and customer information; and notifications to your firm of cybersecurity events, and the vendor’s efforts to remediate those events?
• Does your firm conduct independent, risk-based reviews to determine if vendors have experienced any cybersecurity events, data breaches or
other security incidents? If so, does your firm evaluate the vendors’ response to such events?
• Does your firm's incident response plan describe appropriate steps to follow if a cyber incident occurs at a critical third-party vendor or supply
chain vendor?
Section 4- Protect: Information Assets (See more details below in rows 21-27)
^^ Remediation Needed?
* Password Protection ** Malware/Anti- ^ List other protections
Location (e.g., Network Risk Severity Installed and Password
PII or Firm Sensitive Data Drive, Systems Folder, Email) Level (H/M/L) Reset From Default Virus Protection (e.g., firewalls used to
Installed (Y/N)? protect assets)
(Y/N)? Remediation
Information Network Drive High
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
* Password Protection – Are the systems where your firm stores, uses, or transmits PII or firm sensitive data password protected? If so, have you reset from the default password?
** Malware/Anti-Virus Protection – Does your firm install and regularly update malware or anti-virus software?
^ Other Protections – Does your firm use other protections like firewalls to protect information?
^^ Remediate – Conduct a risk assessment of the strength of the protections considered with the assigned risk severity level, together with resources and consider whether protections should be enhanced (e.g., include stronger password
requirements, installing malware or anti-virus protections or other system protections).

Select a row in orange and right-click on the row number; choose "Insert." If you insert row(s) on Section 1, remember to also insert row(s) for Sections 2, 4, 6, and Summary. Once you have inserted the row(s) in Sections 2, 4, 6, and Summary,
you will need to copy the formula from that Section into the newly created row(s). Do this by right-clicking on an existing row and choosing copy, then selecting the new row(s) and right-clicking and choosing paste. If you have any questions
feel free to email us at cybertech@finra.org.
Section 4- Protect: Information Assets (See more details below in rows 21-27)
* Password Protection ** Malware/Anti- ^ List other protections
Location (e.g., Network Risk Severity Installed and Password
PII or Firm Sensitive Data Drive, Systems Folder, Email) Level (H/M/L) Reset From Default Virus Protection (e.g., firewalls used to
Installed (Y/N)? protect assets)
(Y/N)? Remediation
Does your firm have a process in place defining and implementing a password policy, educating users and regularly updating malware
and anti-virus software?
Remediation Needed?
Remediation
Policy Yes/No Yes/No Remediation Steps Status
Password Strength Policy
Frequency of Password Change Policy
Multi-Factor Authentication
Training Employees on Password Hygiene
Anti-Virus Regularly Updated Policy
Malware Regularly Updated Policy

4) Does your firm have assets that if lost or made inoperable would impact your firm's operations (e.g., trading or order managements systems)?
Section 5- Protect: System Assets (See more details below in rows 21-31)
Are your backup data
*** Password Protection ^ Malware/Anti-Virus recently tested? Are your backups ^^^ Remediation Needed?
^^ Regularly
** Risk to Firm if System Installed and Password Protection Installed Scheduled Backups include the date last separated from
* System
is Inoperable (H/M/L) Reset From Default tested or plan to test production
(Y/N)? (Y/N)? (Y/N)? under Remediation environment? (Y/N) Remediation
Steps Yes/No Remediation Steps Status
List system assets that are important to your firm's operations (e.g., trading or order management systems or systems maintaining customer account information):
* Systems – List systems where assets reside.

** Risk to Firm if System is Inoperable – Assess risk of how important a loss of the asset would be to your firm’s operations.
*** Password Protection – Is access to the asset password protected? If so, have you reset from the default password?
^ Malware/Anti-Virus Protection – Does your firm install and regularly update malware or anti-virus software? Or have firewalls?
^^ Regularly Scheduled Backups– Does your firm have regularly scheduled backups to restore critical data or systems should they be lost in a cyber-incident?
^^^ Remediate – Conduct a risk assessment of the strength of the protections considered with the assigned risk of the system being inaccessible, together with its resources and consider whether protections should be enhanced (e.g., include stronger password
requirements, installing malware, anti-virus protections or firewalls, or regularly schedule backups). See Recovery section in this checklist for other considerations.

Select a row in orange and right-click on the row number; choose "Insert." If you insert row(s) on Section 1, remember to also insert row(s) for Sections 2, 4, 6, and Summary. Once you have inserted the row(s) in Sections 2, 4, 6, and Summary, you will need to copy
the formula from that Section into the newly created row(s). Do this by right-clicking on an existing row and choosing copy, then selecting the new row(s) and right-clicking and choosing paste. If you have any questions feel free to email us at cybertech@finra.org.
Section 6- Protect: Encryption (See more details below in rows 21-30)

** Is data encrypted *** Is data
* Is data
when shared encrypted when ^ Is data
Risk Severity Level encrypted in
PII or Firm Sensitive Data Location (H/M/L) transit to external internally and at rest archived to masked when
within the system backup media displayed (Y/N)?
sources (Y/N)?
(Y/N)? (Y/N)? Remediation

Information Network Drive High
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
Encryption is the process of encoding messages or information in such a way that only authorized parties can read it.
Has your firm taken steps to encrypt the data?
* Encrypted in transit to external sources – Data can be a shared in many ways, including an email to someone external to the firm, over the internet, and between client and a server, between two servers, between two networks, etc. If
the firm prohibits PII from being transmitted to external sources, note this in the remediation steps.
** Internal use – Data may be stored in many places within an organization, including on file servers, on workstations and on portable media such as thumb drives. Data also may be shared internally via email between two employees, for
example.
*** Encrypted at backup – Data is often stored in a non-network or non-system media which can be lost or stolen.
^ Has it been masked when displayed – Data, such as social security numbers, can be masked whenever displayed to a person accessing that data.
^^ Remediate – After identifying where data is encrypted and where it is not, consider the risk severity level and its resources, and decide what remediation steps to take, if any, including encrypting all outgoing emails or all emails,
encrypting all PII and firm sensitive information at rest or in storage, or masking the data when it is displayed.
Section 6- Protect: Encryption (See more details below in rows 21-30)

Encryption is the process of encoding messages or information in such a way that only authorized parties can read it.
Has your firm taken steps to encrypt the data? ^^ Remediation Needed?
** Is data encrypted *** Is data
* Encrypted in transit to external sources – Data can be a shared in many ways, including an *email Is data
to someone when
external to the firm,encrypted
shared over the internet,
when and^ between
Is data client and a server, between two servers, between two networks, etc. If
the firm prohibits PIISensitive
from being transmitted to external Riskthis
sources, note Severity
in the Level
remediationencrypted
steps. in
PII or Firm Data Location (H/M/L) internally and at rest archived to masked when
** Internal use – Data may be stored in many places within an organization, including ontransit to external
file servers, on workstations and on
within the systemportable media such as thumb
backup media displayed drives. Data also may be shared internally via email between two employees, for
(Y/N)?
example. sources (Y/N)?
(Y/N)? (Y/N)? Remediation
*** Encrypted at backup – Data is often stored in a non-network or non-system media which can be lost or stolen. Yes/No Remediation Steps Status
^ Has it been masked when displayed – Data, such as social security numbers, can be masked whenever displayed to a person accessing that data.
^^ Remediate – After identifying where data is encrypted and where it is not, consider the risk severity level and its resources, and decide what remediation steps to take, if any, including encrypting all outgoing emails or all emails,
encrypting all PII and firm sensitive information at rest or in storage, or masking the data when it is displayed.
4) Do your firm's employees (or independent contractors/branch reps) maintain non-firm issued devices or systems (e.g., server, storage, etc.) that access or stores PII or firm sensitive information?
Section 7 - Protect: Employee Devices (See more details below in rows21-28)

^ Device Only authorized
Device Type (e.g., Ability to wipe device
Name of Employee/Independent computer, servers, Device Owner (Firm or * Device has access to PII and ** Risk Severity Protected/E remotely if lost persons can List Protections
Contractor/Branch Rep Individual) Firm Sensitive Data(Y/N)? Level (H/M/L) ncrypted download
storage etc.) (Y/N)? (Y/N)? software (Y/N)?
Remediation
Are permissions restricted and devices protected?
* Access to PII and Firm Sensitive Data – Does the device have access to PII and firm sensitive data? Do your Independent Contractors or registered persons have access to the firm's network? Are there servers or storage system at the branch owned or controlled by independent
contractors or registered persons?
** Risk Severity Level – Assign a risk severity level to the PII or firm sensitive information the person can access considering the impact to customers and the firm if the information were compromised.
^ Protected/Encrypted – Are devices secured with passwords? Is data encrypted if lost?
^^ Remediate – Consider the access to PII and firm sensitive information and the risk severity of compromise, and conduct a risk assessment of whether to deny access to all or part of the PII or firm sensitive information, protect the information better by encrypting the data and having
the ability to remove all data from a device if it is lost or stolen.

Select a row in orange and right-click on the row number; choose "Insert." Reminder: you will need to copy the formula from that Section into the newly created row(s). Do this by right-clicking on an existing orange row and choosing copy, then selecting the new row(s) and right-clicking
and choosing paste.
4) Do your firm's employees (or independent contractors/branch reps) maintain non-firm issued devices or systems (e.g., server, storage, etc.) that access or stores PII or firm sensitive information?
Section 7 - Protect: Employee Devices (See more details below in rows21-28)

^ Device Only authorized
Device Type (e.g., Ability to wipe device
Name of Employee/Independent computer, servers, Device Owner (Firm or * Device has access to PII and ** Risk Severity Protected/E remotely if lost persons can List Protections
Contractor/Branch Rep Individual) Firm Sensitive Data(Y/N)? Level (H/M/L) ncrypted download
storage etc.) (Y/N)? (Y/N)? software (Y/N)?
Remediation
DEVICES:
Firms may want to consider asking the following questions, where applicable, with respect to how they assess the cybersecurity risks at each of their branches, and implement appropriate controls to mitigate these risks:
• Does your firm understand where its cybersecurity risks lie, specifically is this section within its technology hardware and software asset inventories?
• Does your firm allow branch office(es) to host non-firm managed servers, applications, or systems such as email? If yes, what security controls has the firm required to be implemented by the branch(es) to manage such servers or systems and how does the firm enforce such security
controls?
• Does your firm’s staff in cybersecurity/IT positions have the technical skillsets to properly configure tools and applications?
• How does your firm verify that its critical and sensitive systems have adequate protection and detection controls?
• What cyber hygiene controls (e.g., endpoint, MFA, email encryption, DLP) does your firm implement?
• Does your firm enable automatic patching and automated updating features of operating systems and other software to help ensure the latest security controls are in place a?
• Does your firm prohibit the sharing of passwords amongst firm staff, and particularly on privileged or admin accounts?
BRANCH CONTROLS:
Overseeing IT and cybersecurity controls across a branch network can be challenging for small firms, in particular at firms that permit registered persons to use non-firm issued infrastructure, applications, and devices. A branch network may present challenges for a firm’ seeking to
implement a consistent firm-wide cybersecurity program. Some firms may experience increased challenges if their branches may, for example, purchase their own assets, allow Bring Your Own Devices (BYOD), use nonapproved vendors, or not follow their firm’s software patching and
upgrade protocols. As a result, firms should evaluate whether they need to enhance their branch-focused cybersecurity measures to maintain robust cybersecurity controls and protect customer information across their organizations. Firms may want to consider asking the following
questions, where applicable, with respect to how they supervise their branch network:
• What policies and procedures regarding cybersecurity and annual attestations of compliance have been established for each of your firm’s branch offices?
• What cybersecurity training is required when onboarding new branch locations or new staff?
• How does your firm confirm each of its branches meet firm cybersecurity standards, use firm-recommended vendors or other vendors meeting firm standards? What consequences does the firm impose (such as fines, sanctions or termination) on branches and registered
representatives engaging in repeat violations of firm standards?
• What compliance and technology support does your firm provide its branches and registered representatives implementing firm cybersecurity protocols?
• What are your firm’s configuration requirements for physical security and technical controls at each branch (e.g., hard drive encryption, virus protection, MFA, patching and removable storage media)? How does your firm monitor these controls? Are these controls reviewed during
branch inspections or monitored through the use of automated tools?
• How does your firm confirm that each of its branches use only secure, encrypted wireless settings for office and home networks?
• If a review of one of your firm’s branches identifies material deficiencies or reported material cybersecurity incidents, how does it confirm that the branch has implemented corrective action?
If your answer to the following question is YES, please complete this tab (Section 8):
1) Does your firm store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial records)
electronically?
Section 8 - Protect: Controls and Staff Training

Are the following controls implemented? If no, conduct a risk assessment on whether to remediate.
Remediation Needed?
Remediation
Controls Implemented (Y/N)? Risk Severity Level (H/M/L) Yes/No Remediation Steps Status
Ex-employees/contractors and
ex-vendors/customers access terminated
immediately?
Monitor employees' and vendors' systems

access? Vendors include anyone with access to
firm's or clients' sensitive information (e.g.,
attorneys, consultants, supply chain vendors)
Account credentials (login and password) are

used only by the person for whom it is
created. For example, sharing of account
credentials to access FINRA systems is strictly
prohibited.
Staff Training
Does your firm define cybersecurity training
needs?
Does your firm conduct training in regular

intervals (e.g., quarterly or annually)?
Does your firm use interactive training?
Does training take into account firm specific

risks (e.g., phishing attacks), systems and loss
incidents history?
TRAINING & SECURITY AWARENESS:

A well-trained staff is an important defense against cyberattacks. Even well-intentioned staff can become inadvertent vectors for successful cyberattacks, so effective training helps
reduce the likelihood that such attacks will be successful. Firms may want to consider asking the following questions, where applicable, with respect to how they design internal
cybersecurity training, what personnel they require to take the training and how frequently they conduct and evaluate the training:
• How frequently and consistently does your firm conduct cybersecurity training? Are all individuals or third parties with access to PII or sesitive firm info at the firm included in
cybersecurity training?
• Is your firm’s training tailored to the cybersecurity training applicable to its business? How does your firm ensure that cyber and IT personnel are trained and kept abreast of the
cybersecurity threat landscape to continuously assess the effectiveness of technical controls?
• Does your firm’s training include simulated phishing exercises to validate employee understandingand track participation metrics? What consequences do employees face if they don’t
pass (e.g., mandatory retraining)?
• Does the training encompass a variety of methods (e.g., reminder emails, online formal training, discussions of actual events)?
• Has your firm considered incorporating a formal or informal evaluation of the staff’s understanding of and compliance with firm cybersecurity requirements into its training program
(i.e., cybersecurity and IT control training needs analysis)?
At the minimum, does your training cover the following areas?
Phishing:
Phishing is one of the most common cybersecurity threats affecting firms – it may take a variety of forms, but all phishing attempts try to convince the recipient to provide information or
take action. The fraudsters typically try to disguise themselves as a trustworthy entity or individual via email, instant message, phone call or other communication, where they request
personally identifiable information (PII) (such as Social Security numbers, usernames or passwords), direct the recipient to click on a malicious link, open an infected attachment or
application, or attempt to initiate a fraudulent wire transfer or transaction. Firms may want to consider asking the following questions, where applicable, with respect to how they
identify, prevent and mitigate phishing attempts:
• Do your firm’s policies and procedures address phishing by, for example:
- identifying phishing emails
- clarifying that staff should not click on any links or open any attachments in phishing emails
- requiring deletion of phishing emails
- developing a process to securely notify Information Technology (IT) administrators or compliance staff of phishing attempts
- implementing additional controls (e.g., customer phone call backs, additional authentication requirements) for money movement requests, especially at higher dollar amounts, to
foreign jurisdictions, and/or to third party bank accounts; and
- ensuring proper resolution and remediation after phishing attacks, and implementation of additional controls to prevent recurrence?
• Has your firm implemented email scanning and filtering to monitor and block phishing and spam communication? Are external emails clearly marked with warning to recipients to
exercise caution with links, attachments and requests for login information? Do your users know how to report suspicious email to the security team?
• Does your firm regularly conduct phishing email campaign simulations to evaluate employee understanding and compliance of its phishing policies and procedures?
Malware:
Malware is a catch-all term for multiple types of malicious software (e.g., viruses, spyware, worms) designed to cause damage to a stand-alone or networked computer. Malware most
often originates from phishing emails where a user clicked on a link or opened an attachment. Once activated, it can mine a firm’s system for PII and sensitive data; erase data; steal
credentials; alter, corrupt or delete a firm’s files and data; take over an email account; and even hijack device operations or computer-controlled hardware. Firms may want to consider
asking the following questions, where applicable, with respect to how they identify, prevent and respond to malware attacks:
• How does your firm train employees to recognize and report cyberattacks involving malware?
• What preventative measures does your firm take (e.g., endpoint malware protection) to defend against malware?
• How does your firm monitor for indications of malware on your firm’s systems?
• How does your firm’s incident response plan address malware infections?
• How does your firm incorporate threat intelligence regarding newly identified instances of viruses or other types of malware into its IT infrastructure?
Section 9 - Detect: Risk Assessment
Risk Assessment in place for Remediation Needed?
Home Office and Branch Tested? Date tested Problems/Vulnerabilities Identified Risk Severity Level (H/M/L) Remediation
Locations: Yes/No Remediation Steps Status
External (internet) - pen

testing
Internal (intranet, employee

or ex-employee)
Application Specific
RISK MANAGEMENT:
Consider conducting a risk assessment of your firm and its infrastructure using either external resources or internal staff.
• External testing may include penetration testing while internal testing may include vulnerability assessment.
• Determine the total risk landscape based on your business model and the scope of the systems you want tested considering current and emerging risks and your resources. For example, will the Risk Assessment be limited to identifying
vulnerabilities or will the test attempt to obtain sensitive information from the firm? Will the test include outside threats, mainly the internet or will it also include internal (employee, contractor), or will it include critical third-party
vendor/supply chain vendor? Should the test be done as a surprise without letting employees or users of your system know, or should they be informed?
• After conducting the test, firms should identify vulnerabilities, risk rank them as high, medium, low, and maintain a documented Risk Log. Firm should develop a comprehensive plan to remediate identified risks.
• Risk assessments should include branch locations. In performing risk assessment of their branches, firms should keep in mind that effective technical controls perform many critical functions, such as keeping unauthorized individuals
from gaining access to a system and detecting when a security violation has occurred. However, small firms may not have sufficient resources to ensure adequate safeguards around all possible attack surfaces, especially in today’s
hyperconnected world and ever-changing risk landscape. Small firms can use a cybersecurity risk assessment to determine which threats are most significant for each branch and then identify and implement appropriate technical and
other controls to mitigate those threats.
• Has your firm verified that its critical and sensitive systems have adequate protection and detection controls?
Section 10 - Detect: Intrusion

Does the IDS/IPS have Remediation Needed?
Has the firm
System implemented an IDS/IPS intrusion Risk Severity Level (H/M/L)
protection/detection
(Y/N)? Yes/No Remediation Steps Remediation Status
capabilities (Y/N)?
Intrusion Detection System/Intrusion

Prevention System (IDS/IPS)
Consider an Intrusion Detection System (IDS) and/or Intrusion Prevention System (IPS), which detects or prevents attempts to compromise the confidentiality, integrity or availability of firm systems. Intrusion detection or prevention
products are tools that can assist in protecting a company from intrusion by expanding the options available to manage the risk from threats and vulnerabilities. Intrusion detection and prevention capabilities can help a firm secure its
information. The tool could be used to detect or prevent an intruder, identify and stop the intruder, support investigations to find out how the intruder got in, and stop exploitation by future intruders.
One simple, but effective method for the firm to detect potential threats is to provide firm staff with a mechanism to easily report suspicious cyber activity to the firm for investigation. This could be in the form of a hotline, dedicated
email address or a SPAM button in the firm's email application. For example, if a staff person receives a phishing email and notes it as such, they should contact someone at the firm who can take action to prevent an intrusion before a
colleague clicks on the link.
Are the following controls implemented? If No, assess the risk of not having the controls and decide whether to remediate.
Remediation Needed?
IDS/IPS Controls Yes/No Yes/No Remediation Steps Remediation Status
Does your firm have receive threat

information from any outside sources (e.g.,
Financial Services Information Sharing and
Analysis Center (FS-ISAC))?
Does your firm have processes in place to

triage and act on threat information
received?
Does your firm utilize tools to regularly

scan/monitor your systems for
vulnerabilities, secure configuration, and
current patch levels?
Does your firm monitor the results of these

scans and address discrepancies in a timely
manner?
Are there defined metrics for tracking the

condition of the firm's cybersecurity
controls and reporting that condition to
senior executives in a manner they find
actionable?
Ransomware
Ransomware attacks are an increasingly common threat for small firms, and can quickly cripple their business operations, as well as expose firms to risks of
data exfiltration and publication. This type of highly sophisticated malware commonly encrypts a firm’s files, databases or applications to prevent firm
employees from accessing them until a ransom demand is paid to the fraudster. Firms may want to consider asking the following questions, where applicable,
with respect to how they identify, prevent and respond to ransomware attacks:
• Has the firm evaluated capabilities to detect and block sophisticated attacks, using tools such as endpoint detection and response (EDR), a host-based
intrusion detection system (HIDS) and a host-based intrusion prevention system (HIPS)?
• Does your firm keep offline backups of systems and data? Are recovery capabilities tested on a regular basis?
• Does your firm’s incident response plan include a scenario for potential ransomware attacks? If so, does your plan address factors such as:
- making cybersecurity insurance claims
- engaging cybersecurity experts to conduct forensics investigations and to assist in recovery efforts
- assessing and mitigating the impact of these attacks; and
- notifying affected parties (e.g., customers, employees, regulators) as required by data breach notification laws applicable to your firm?
Section 11 - Response Plan (See more details below in rows )
Response Plan in Risk Severity Level Remediation Needed?
Incident
Place (Y/N)? (H/M/L) Yes/No Remediation Steps Remediation Status
Create communications plan and review with executives. Conduct test on how
Example: Ransomware Attack No High Yes we would respond if we suffered a ransomware attack. In Process
Prepare incident responses to which you are most likely to be subject. The response should include a communication plan to notify your senior executives who need to know about the incident. Firm senior
executives should decide how to contain and mitigate the breach. You should run through different types of incidents you may suffer and plan how you would respond. Firms should prepare incident
responses for those types of incidents to which the firm is most likely to be subject, e.g., loss of customer PII, data corruption, denial of service (DoS) or distributed denial of service (DDoS) attack, network
intrusion, customer account intrusion or malware infection. Types of responses to consider include: full or partial shutdown of systems, disconnect system from the network, delete and reinstall malware, or
disabling a user from system access. You can add to or delete from the list as appropriate to your business. Remenber to report incidents impacting clients and firm to regulators, law enforcement and file
SAR reports as needed.
FBI Contact List

Incident
Secret Service Contact List

Select a row in orange and right-click on the row number; choose "Insert." Reminder: you will need to copy the formula from that Section into the newly created row(s). Do this by right-clicking on an existing
orange row and choosing copy, then selecting the new row(s) and right-clicking and choosing paste.
Identifying relevant stakeholders who you should consider notifying of a breach

Law Third-Party Information
Incident Type Customers Regulators Enforcement Industry Sharing Organizations
Example: Ransomware Attack
Metrics
Activity/Governance Yes/No
Do you maintain a list of cybersecurity

incidents? (i.e., phishing, stolen device,
etc.)
Have you created a dashboard to track

creative patch coverage, anti-virus
coverage, and the number of employees
who have taken training and other
proactive defensive measures?
Does your firm review customer complaints

and potential cyber-related activity?
Does your firm share metrics with your CEO
and COO?
Does your firm prioritize allocation of
cybersecurity resources?
Does your firm communicate with senior

executives on cybersecurity and
outstanding risks?
Does your firm have Cyber Insurance?
Incident
INCIDENT RESPONSE:
Incident response plans can help small firms rapidly and effectivly address cybersecurity events and incidents. Cybersecurity-related incidents may require firms to file a Suspicious Activity Report (SAR) with
the Financial Crimes Enforcement Network (FinCEN), as well as to notify the FBI through their Internet Crime and Complaint Center (IC3) and the Federal Trade Commission (FTC). Firms may want to consider
asking the following questions, where applicable, with respect to how they develop and implement their incident response plans:
• Does your firm maintain an incident response plan to identify and escalate incidents in a timely manner?
• Does your firm have the data inventory, assets inventory, and controls to assess the impact of incidents?
• Does your firm have capabilities for incident detection, containment, mitigation, and recovery either from internal resources or with help from a third party? If from a third party, have you established the
relationship with defined service level agreements (SLAs)?
• What communication plans does your firm prepare for outreach to relevant stakeholders (e.g.,customers, regulators, law enforcement, intelligence agencies, industry information-sharing bodies) if an
incident occurs?
• Do your firm’s post incident reviews aim for improvements, including evaluating the incident management process, policy updates and control effectiveness?
• Have you tested the incident response plan within the past year?
• Has the firm investigated or considered cybersecurity insurance?
5) If your firm's systems, PII or firm sensitive information were made inoperable or stolen, would your firm need to recover them to conduct business?
Section 12- Recovery
In recovery, administrators restore systems to normal operation, confirm that the systems are functioning normally, and remediate vulnerabilities to prevent similar incidents.
If the answer to one of the below questions is No, firms should conduct a risk assessment and decide whether to invest in the process to remediate.
Remediation Needed?
Risk Severity
Controls
Level (H/M/L) Remediation
Yes/No Yes/No Remediation Steps Status
Does your firm have regularly scheduled backups to
restore critical data or systems should they be lost in a
cybersecurity incident?
Is it possible for your firm to rebuild systems from scratch

should it be necessary?
Does your firm have a plan to replace compromised files

with clean versions?
Does your firm have a plan to install patches, change

passwords and tighten network should a cybersecurity
incident take place?
Once a resource is successfully attacked, it is often

attacked again, or other resources within the organization
are attacked in a similar manner. If this has occurred at
your firm, has your firm considered implementing
heightened system logging and network monitoring?
Does your firm have backup system that is completely
separated from the firm's production environment? Has
your firm recently test its backup to be sure they are
usable in case of a ransomware attack?
Cybersecurity Summary Report
Firm Name: 0
Person(s) Responsible for Cybersecurity Program: 0
Cybersecurity Summary Report: This report consolidates your responses from sections 1-12 and can be used to understand where your cybersecurity risks are, where you may need to dedicate budget
and resources to remediate. This report may also be useful for executive and board level updates. The report includes 10 responses per section. If you would like to add more rows, please contact us
at memberrelations@FINRA.org. Note you can filter your report by clicking on the down arrow on the column you would like to sort, check the boxes for the data you want to display, then click okay.
Cybersecurity Function Firm Asset Risk Need to Remediate? Remediation Status

1 Identify and Assess Risks: Minimize Use Group Level Example: Customer Account Information High 0 0
1 Identify and Assess Risks: Minimize Use Granular Example: Customer SS# High 0 0
1 Identify and Assess Risks: Minimize Use 0 0 0 0
2 Section 3 - Identify and Assess Risks: Third Party Bank 0 0 0
2 Section 3 - Identify and Assess Risks: Third Party Clearing Firm 0 0 0
2 Section 3 - Identify and Assess Risks: Third Party 0 0 0 0
3 Section 4 - Protect: Information Assets Group Level Example: Customer Account Information High 0 0
3 Section 4 - Protect: Information Assets Granular Example: Customer SS# High 0 0
3 Section 4 - Protect: Information Assets 0 0 0 0
Firm Name: 0

4 Section 5 - Protect: System Assets 0 0 0 0
5 Section 6 - Protect: Encryption Group Level Example: Customer Account Information High 0 0
5 Section 6 - Protect: Encryption Granular Example: Customer SS# High 0 0
5 Section 6 - Protect: Encryption 0 0 0 0
6 Section 7 - Protect : Employee Devices 0 0 0 0
Firm Name: 0

6 Section 7 - Protect : Employee Devices 0
Ex-employees/contractors and ex-vendors/customers access 0 0 0
7 Section 8 - Protect: Controls and Staff Training terminated immediately? 0 0 0
Monitor employees' and vendors' systems access? Vendors include

anyone with access to firm's or clients' sensitive information (e.g.,
7 Section 8 - Protect: Controls and Staff Training attorneys, consultants, supply chain vendors) 0 0 0
Account credentials (login and password) are used only by the person
7 Section 8 - Protect: Controls and Staff Training for whom it is created. 0 0 0
7 Section 8 - Protect: Controls and Staff Training Does your firm define cybersecurity training needs? 0 0 0
Does your firm conduct training in regular intervals (e.g., quarterly or
7 Section 8 - Protect: Controls and Staff Training annually)? 0 0 0
7 Section 8 - Protect: Controls and Staff Training Does your firm use interactive training? 0 0 0
Does training take into account firm specific risks (e.g., phishing
7 Section 8 - Protect: Controls and Staff Training attacks), systems and loss incidents history? 0 0 0
8 Section 9 - Detect: Penetration Testing External (internet) - pen testing 0 0 0
8 Section 9 - Detect: Penetration Testing Internal (intranet, employee or ex-employee) 0 0 0
8 Section 9 - Detect: Penetration Testing Application Specific 0 0 0
9 Section 10 - Detect: Intrusion Intrusion Detection System/Intrusion Prevention System (IDS/IPS) 0 0 0

10 Section 11 - Response Plan Example: Ransomware Attack High Yes In Process
10 Section 11 - Response Plan 0 0 0 0
Firm Name: 0

Does your firm have regularly scheduled backups to restore critical

11 Section 12 - Recovery data or systems should they be lost in a cybersecurity incident? 0 0 0
Is it possible for your firm to rebuild systems from scratch should it be
11 Section 12 - Recovery necessary? 0 0 0
Does your firm have a plan to replace compromised files with clean
11 Section 12 - Recovery versions? 0 0 0
Does your firm have a plan to install patches, change passwords and
11 Section 12 - Recovery tighten network should a cybersecurity incident take place? 0 0 0
Once a resource is successfully attacked, it is often attacked again, or

other resources within the organization are attacked in a similar
manner. If this has occurred at your firm, has your firm considered
11 Section 12 - Recovery implementing heightened system logging and network monitoring? 0 0 0

Smallfirm Cybersecurity Checklist

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Smallfirm Cybersecurity Checklist

Uploaded by

Copyright:

Available Formats

CYBERSECURITY

Checklist for a Small Firm's Cybersecurity Program

Last Updated: (FINRA's last update) Version 1.3 June 2023

Cybersecurity Checklist Version 1.2 June 2020 Release Notes:

Legend for Text Entry Fields

Section 1 - Identify and Assess Risks: Inventory

If you answer yes to question 2, you will fill out:

Section 3 - Identify and Assess Risks: Third Party Access

If you answer yes to question 3, you will fill out:

Section 7 - Protect: Employee Devices

For questions: please email: cybertech@finra.org

How to print all sections (Entire Workbook):

How to save my excel file:

Password for locked tab: cyber

Section 1 - Identify and Assess Risks-Inventory

Section 2 - Identify and Assess Risks-Minimize Use

Section 3 - Identify and Assess Risks-Third Party

Section 4 - Protect-Information Assets

Section 5 - Protect-System Assets

Section 7 - Protect-Employees Devices

Section 8 - Protect- Controls and Staff Training

Section 9 - Detect-Penetration Testing

Section 11 - Response Plan

Group Level Example: Customer Account Information Network Drive High

Granular Example: Customer SS# G Drive High

Directions on inserting new rows:

** Business objective can be ***Remediation Needed?

Group Level Example: Customer Account

Granular Example: Customer SS# G Drive High

Directions on inserting new rows:

^ Have you assessed the ^^ Are there controls in

* Name of Third-Party – Corporation or individual’s name including supply chain vendors.

^ Have you assessed the ^^ Are there controls in

Pre-contract due diligence on

Ongoing due diligence of existing

Assure vendor only has access to

Customer's access is limited to

Non-disclosure agreements and

Data storage, retention, delivery,

Vendor employee access

Vendor obligation upon contract

^ Have you assessed the ^^ Are there controls in

Security processes initiated by

Directions on inserting new rows:

Password Strength Policy

Frequency of Password Change Policy

Training Employees on Password Hygiene

Anti-Virus Regularly Updated Policy

Malware Regularly Updated Policy

* Systems – List systems where assets reside.

Directions on inserting new rows:

Section 6- Protect: Encryption (See more details below in rows 21-30)

Group Level Example: Customer Account

Granular Example: Customer SS# G Drive High

Section 6- Protect: Encryption (See more details below in rows 21-30)

Section 7 - Protect: Employee Devices (See more details below in rows21-28)

Are permissions restricted and devices protected?

Directions on inserting new rows:

Section 7 - Protect: Employee Devices (See more details below in rows21-28)

Section 8 - Protect: Controls and Staff Training

Monitor employees' and vendors' systems

Account credentials (login and password) are

Business objective can be *Remediation Needed?