Professional Documents
Culture Documents
Smallfirm Cybersecurity Checklist
Smallfirm Cybersecurity Checklist
Firm Name:
Person(s) Responsible for Cybersecurity Program:
Last Date Reviewed:
Key Personnel:
Firm's IT Consultant:
Important:
Using this checklist is optional, and it is not meant to be exhaustive. Firms may choose to develop or use their own checklist, borrow sections from this checklist to include in their
own checklist, or use a different resources (e.g., SIFMA’s small firm check list, NIST guidance, or the SEC's Securities and Exchange Commission’s guidance). There is no one-size-
fits-all cybersecurity program. Firms should tailor their cybersecurity program in a way that best suits their business model and adapt this checklist and other resourcesit to reflect
their particular business, products, customer base and risks. Use of this checklist does not create a "safe harbor" with respect to FINRA rules, federal or state securities laws, or
other applicable federal or state regulatory requirements.
Note that in March 2023, the Securities and Exchange Commission (SEC) proposed a new rule, form, and related amendments that would require specified entities, including
broker-dealers, to address their cybersecurity risks. If the proposal is adopted, broker-dealer members would have new cybersecurity risk managment requirements.
Methodology:
Using this checklist, firms will identify and inventory their information assets, assess the adverse impact to customers and the firm if the assets were compromised, and assign a
risk level based on this assessment. Firms will identify potential protections and processes to secure the assets, and make a risk-based determination, considering their resources,
the consequences of a potential breach and available protections and safeguards, on how to address the identified risks. Firms may decide to remediate or address some high-
level risk impact vulnerabilities or they may decide that the threat is a low-level risk impact which they can accept. Firms should consider articulating why they decided to
remediate or chose not to remediate identified risks. Because of the importance of protecting information assets, senior executives should be informed of the identified risks and
weigh in on determinations on how to best allocate firm resources in order to address those risks. See questions in the "Procedures for completing this checklist" section below.
Assistance:
At small firms, one person may be responsible for many functions, such as operations, compliance and legal. In some cases, the primary person working on compliance programs
may not be a technology expert, and he or she may not understand the technology at issue or terms used in this checklist. In this instance, the firm may consider enlisting outside
technology help, industry trade associations or other peer groups, their vendors or their FINRA Risk Monitoring Analyst to understand the information discussed in this checklist.
However, firms are ultimately responsible for their compliance and should not assume that others, such as clearing firms or outside vendors, are responsible for preventing or
reacting to a cybersecurity incident. If you have any questions or issues with this checklist, please contact CAU@finra.org.
Using Excel:
This checklist is in Excel format and uses Excel formulas. The person completing this checklist should have a basic knowledge of Excel. There are many helpful video tutorials on
Excel available on YouTube for those who may need assistance with how to use Excel.
Please note: If you need to insert a new row in Section 1, you will also need to insert rows on the other Sections and copy the pre-existing formulas into the newly inserted cells.
CYBERSECURITY
Checklist for a Small Firm's Cybersecurity Program
Firm Name:
Person(s) Responsible for Cybersecurity Program:
Last Date Reviewed:
Key Personnel:
Firm's IT Consultant:
Procedure for completing this checklist:
Review the five questions below and based upon your answers, complete the sections (12 tabs total) applicable to your business. The five core sections of the checklist follow the
NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover.
Questions about your firm's assets and systems:
1) Does your firm store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial
records) electronically?
If you answer yes to question 1, you will fill out the following sections of the Cybersecurity Checklist:
2) Does your firm transmit PII or firm sensitive information to a third party or otherwise allow access to PII or firm sensitive information by a third party?
3) Does your firm have assets that if lost or made inoperable would impact your firm's operations (e.g., trading or order management systems)?
4) Do your firm's employees (or independent contractors) maintain non-firm issued devices (e.g., server, storage, etc.) that access or store PII or firm sensitive information?
If you answer yes to question 4, you will fill out:
5) If your firm's systems, PII or firm sensitive information were made inoperable or stolen, would your firm need to recover them to conduct business?
If you answer yes to question 5, you will fill out:
Section 12 - Recovery
FINRA Resources:
FINRA's Report on Cybersecurity Practices-2018
FINRA’s Report on Cybersecurity Practices-2015
FINRA List of Common Cybersecurity Threats
FINRA's Core Cybersecurity Controls for Small Firms
FINRA Firm Checklist for Compromised Accounts
FINRA Rules - Cybersecurity Overview
FINRA - Rules - Guidance - Notices
Relevant Notices
Imposter Websites Impacting Member Firms
Cybersecurity Alert: Cloud-Based Email Account Takeovers
FINRA Alerts Firms to Increased Ransomware Risks - Notice 22-29
FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors - Notice 21-29
Rule 6439 Governing Operation of Inter-dealer Quotation Systems - Notice 21-28
FINRA Alerts Firms to Recent Increase in ACH “Instant Funds” Abuse - Notice 21-14
Others:
Center for Internet Security website
NIST Small Business Cybersecurity Corner
NIST Framework Version 1.1
Center for Internet Security - Top 20 CIS Controls & Resources
FFIEC - Cybersecurity Assessment Tool
Homeland Cybersecurity Evaluation Tool for Self Assessment
CSIS -Controlled Use of Administrative Privileges
SysAdmin Audit Network and Security (SANS.Org)
Compilation of States Security Breach Notification Laws
FBI Contact List
Secret Service Contact List
FINCEN - SAR Reporting of Cybersecurity Events
Personally Identifiable information, NIST’s Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (see pages 2-1 and 2-2)
Inventory of PII and Firm Sensitive Information, please see FINRA’s Report on Cybersecurity Practices - 2015 (see pages 12-13)
Asset Inventory, please see FINRA's Report on Selected Cybersecurity Practices - 2018 (see page 3)
Section 6 - Protect-Encryption
Understanding Encryption, FINRA’s Report on Cybersecurity Practices (see pages 20-21)
Data Loss Prevention, please see FINRA's Report on Selected Cybersecurity Practices - 2018 (see page 11)
Section 10 - Detect-Intrusion
NIST's Guide to Intrusion Detection and Prevention Systems (IDPS) final version
Security Information and Event Management (SIEM) and User and Entity Behavioral Analytic (UEBAQ) Tools, FINRA's Report on Selected Cybersecurity Practices - 20
Section 12 - Recovery
Eradication of Cyber breach and Recovery, NIST’s Computer Security Incident Handling Guide (see pages 35-37)
Incident Response Planning, FINRA's Report on Cybersecurity Practices - 2015 (see pages 23-25)
If your answer to the following question is YES, complete this tab (Section 1):
1) Does your firm store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive
information (e.g., financial records) electronically?
Section 1- Identify and Assess Risks: Inventory (Definitions provided below in rows 21-36)
***Risk Severity Level
*Description of PII or Firm Sensitive Data **Location (e.g., Network Drive, Systems Folder, Email) (H/M/L)
Definitions:
Where is personally identifiable information (PII) or firm sensitive information located on your firm's systems or other electronic storage (include your branch
offices and unregistered locations)?
* PII or Firm Sensitive Information – includes name, social security number, date and place of birth, mother’s maiden name, or financial records including
customer accounts and holding information. Firm sensitive information can include data such as contact address information, email addresses, marketing
plans, employee information, financial records, and tax filings, etc. Firms can list data at a group level such as customer account information, or at the
granular level such as social security number, customer name, date of birth, etc.
** Location – where the electronic information information is stored, such as on a network drive, system folder, laptop or email. If the same data is stored in
more than one location, complete a separate entry for each location.
*** Risk Severity Level – Assign a risk severity classification to the data (e.g., low, medium or high). There is no one-size-fits-all way to assign risk severity, but
a firm may consider the severity of the impact to customers and the firm if the PII or firm sensitive data were compromised.
Section 2- Identify and Assess Risks: Minimize Use (See more details below in rows 21-29)
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
Have you taken steps to minimize the use and proliferation of PII or firm sensitive data?
* Business objective can be met without data – One way to mitigate risk is to remove the PII or firm sensitive data from your systems and networks. Consider whether your firm can do its business without storing the PII
or firm sensitive information in the system or network location. When removing data from your firm's systems and networks, keep in mind any books and records obligations that may apply to this data.
** Sharing data – Consider how the PII or firm sensitive data is shared, identify people or systems that do not require access to the data, and consider limiting access to this data to those who need it.
*** Remediate – If you determine that there is no business purpose to store or share the PII or firms sensitive information, you may remediate by either removing the data from the location or not sharing it. When
removing data from your systems and networks, keep in mind any books and records obligations that may apply to this data. If the firm is required to store and share the data, consider the risk severity of the data being
compromised and consider whether a business practice could be changed to mitigate the risk (e.g., if a business process involves using a customer’s social security number, change the process to use another customer
specific identifier rather than the social security number).
Section 3- Identify and Assess Risks: Third Party or Supply Chain Vendor (See more details below in rows 21-35)
**PII or Firm Sensitive ^ Have you assessed the ^^ Are there controls in
*Name of Third-Party ****Is it necessary for the Third- Third-Party Organization or place to isolate Third- ^^^ Remediation Needed?
Organization or *****Supply Data transmitted to Third- ***Risk Severity Party Organization or SCV to SCV to ensure that they have Party /SCV Connections
Party Organization/SCV Level
Chain Vendor (SCV) (Y/N)? access the data transmitted (Y/N)? effective security practices from your critical assets
(Y/N)? (Y/N)?
Remediation
Yes/No Remediation Steps Status
Bank
Clearing Firm
If your answer to the following question is YES, complete this tab (Section 3):
2) Does your firm transmit PII or firm sensitive information to a third party, or otherwise allow access to PII or firm sensitive information by a third party or supply chain vendor?
Section 3- Identify and Assess Risks: Third Party or Supply Chain Vendor (See more details below in rows 21-35)
Third-Party Risk Management: Does your firm transmit PII or firm sensitive information to a third party, or otherwise allow access to PII or firm sensitive information by a third party? (e.g., vendors, clearing firm, supply chain, customers, etc.)?
Section 3- Identify and Assess Risks: Third Party or Supply Chain Vendor (See more details below in rows 21-35)
Ex-vendors/customers' access
terminated immediately
Breach notifications
Right-to-audit clauses
Use of subcontractors
Section 3- Identify and Assess Risks: Third Party or Supply Chain Vendor (See more details below in rows 21-35)
Member firms – including small firms – have increasingly leveraged vendors to implement systems and perform key functions (e.g., customer
relationship management systems, clearing arrangements, account statement generation) and often contract with Managed Service Providers
(MSPs) and Managed Security Service Providers (MSSPs), respectively, to oversee their IT infrastructure and cybersecurity programs. Relying on
vendors may help small firms reduce operating costs, improve efficiency and concentrate on core broker-dealer operations. However, due to the
recent increase in the number and sophistication of cyberattacks, FINRA reminds firms of their obligations to oversee, monitor and supervise
cybersecurity programs and controls provided by third-party vendors. Firms may want to consider asking the following questions, where applicable,
with respect to how they select, conduct due diligence on and document relationships with cybersecurity vendors:
• Does your firm have a process for its decision-making on outsourcing, including the selection of cybersecurity vendors? Does this process engage
key internal stakeholders and consider the impact of such outsourcing on its ability to comply with federal securities laws and regulations, and
FINRArules?
• Does your firm implement risk-based due diligence on vendors’ cybersecurity practices critical to managing risks present in a firm’s environment,
including the ability to protect sensitive firm and customer non-public information?
• Does your firm document relationships with vendors in written contracts that clearly define all parties’ roles and responsibilities related to
cybersecurity, such as evidencing compliance with federal and state securities laws and regulations, and FINRA rules; protection of sensitive firm
and customer information; and notifications to your firm of cybersecurity events, and the vendor’s efforts to remediate those events?
• Does your firm conduct independent, risk-based reviews to determine if vendors have experienced any cybersecurity events, data breaches or
other security incidents? If so, does your firm evaluate the vendors’ response to such events?
• Does your firm's incident response plan describe appropriate steps to follow if a cyber incident occurs at a critical third-party vendor or supply
chain vendor?
If your answer to the following question is YES, complete this tab (Section 4):
1) Does your firm store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial records) electronically?
Section 4- Protect: Information Assets (See more details below in rows 21-27)
^^ Remediation Needed?
* Password Protection ** Malware/Anti- ^ List other protections
Location (e.g., Network Risk Severity Installed and Password
PII or Firm Sensitive Data Drive, Systems Folder, Email) Level (H/M/L) Reset From Default Virus Protection (e.g., firewalls used to
Installed (Y/N)? protect assets)
(Y/N)? Remediation
Yes/No Remediation Steps Status
Group Level Example: Customer Account
Information Network Drive High
Granular Example: Customer SS# G Drive High
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
* Password Protection – Are the systems where your firm stores, uses, or transmits PII or firm sensitive data password protected? If so, have you reset from the default password?
** Malware/Anti-Virus Protection – Does your firm install and regularly update malware or anti-virus software?
^ Other Protections – Does your firm use other protections like firewalls to protect information?
^^ Remediate – Conduct a risk assessment of the strength of the protections considered with the assigned risk severity level, together with resources and consider whether protections should be enhanced (e.g., include stronger password
requirements, installing malware or anti-virus protections or other system protections).
Section 4- Protect: Information Assets (See more details below in rows 21-27)
^^ Remediation Needed?
* Password Protection ** Malware/Anti- ^ List other protections
Location (e.g., Network Risk Severity Installed and Password
PII or Firm Sensitive Data Drive, Systems Folder, Email) Level (H/M/L) Reset From Default Virus Protection (e.g., firewalls used to
Installed (Y/N)? protect assets)
(Y/N)? Remediation
Yes/No Remediation Steps Status
Does your firm have a process in place defining and implementing a password policy, educating users and regularly updating malware
and anti-virus software?
Remediation Needed?
Remediation
Policy Yes/No Yes/No Remediation Steps Status
Multi-Factor Authentication
List system assets that are important to your firm's operations (e.g., trading or order management systems or systems maintaining customer account information):
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
Encryption is the process of encoding messages or information in such a way that only authorized parties can read it.
Has your firm taken steps to encrypt the data?
* Encrypted in transit to external sources – Data can be a shared in many ways, including an email to someone external to the firm, over the internet, and between client and a server, between two servers, between two networks, etc. If
the firm prohibits PII from being transmitted to external sources, note this in the remediation steps.
** Internal use – Data may be stored in many places within an organization, including on file servers, on workstations and on portable media such as thumb drives. Data also may be shared internally via email between two employees, for
example.
*** Encrypted at backup – Data is often stored in a non-network or non-system media which can be lost or stolen.
^ Has it been masked when displayed – Data, such as social security numbers, can be masked whenever displayed to a person accessing that data.
^^ Remediate – After identifying where data is encrypted and where it is not, consider the risk severity level and its resources, and decide what remediation steps to take, if any, including encrypting all outgoing emails or all emails,
encrypting all PII and firm sensitive information at rest or in storage, or masking the data when it is displayed.
If your answer to the following question is YES, complete this tab (Section 6):
1) Does your firm store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial records) electronically?
* Access to PII and Firm Sensitive Data – Does the device have access to PII and firm sensitive data? Do your Independent Contractors or registered persons have access to the firm's network? Are there servers or storage system at the branch owned or controlled by independent
contractors or registered persons?
** Risk Severity Level – Assign a risk severity level to the PII or firm sensitive information the person can access considering the impact to customers and the firm if the information were compromised.
^ Protected/Encrypted – Are devices secured with passwords? Is data encrypted if lost?
^^ Remediate – Consider the access to PII and firm sensitive information and the risk severity of compromise, and conduct a risk assessment of whether to deny access to all or part of the PII or firm sensitive information, protect the information better by encrypting the data and having
the ability to remove all data from a device if it is lost or stolen.
• Does your firm understand where its cybersecurity risks lie, specifically is this section within its technology hardware and software asset inventories?
• Does your firm allow branch office(es) to host non-firm managed servers, applications, or systems such as email? If yes, what security controls has the firm required to be implemented by the branch(es) to manage such servers or systems and how does the firm enforce such security
controls?
• Does your firm’s staff in cybersecurity/IT positions have the technical skillsets to properly configure tools and applications?
• How does your firm verify that its critical and sensitive systems have adequate protection and detection controls?
• What cyber hygiene controls (e.g., endpoint, MFA, email encryption, DLP) does your firm implement?
• Does your firm enable automatic patching and automated updating features of operating systems and other software to help ensure the latest security controls are in place a?
• Does your firm prohibit the sharing of passwords amongst firm staff, and particularly on privileged or admin accounts?
BRANCH CONTROLS:
Overseeing IT and cybersecurity controls across a branch network can be challenging for small firms, in particular at firms that permit registered persons to use non-firm issued infrastructure, applications, and devices. A branch network may present challenges for a firm’ seeking to
implement a consistent firm-wide cybersecurity program. Some firms may experience increased challenges if their branches may, for example, purchase their own assets, allow Bring Your Own Devices (BYOD), use nonapproved vendors, or not follow their firm’s software patching and
upgrade protocols. As a result, firms should evaluate whether they need to enhance their branch-focused cybersecurity measures to maintain robust cybersecurity controls and protect customer information across their organizations. Firms may want to consider asking the following
questions, where applicable, with respect to how they supervise their branch network:
• What policies and procedures regarding cybersecurity and annual attestations of compliance have been established for each of your firm’s branch offices?
• What cybersecurity training is required when onboarding new branch locations or new staff?
• How does your firm confirm each of its branches meet firm cybersecurity standards, use firm-recommended vendors or other vendors meeting firm standards? What consequences does the firm impose (such as fines, sanctions or termination) on branches and registered
representatives engaging in repeat violations of firm standards?
• What compliance and technology support does your firm provide its branches and registered representatives implementing firm cybersecurity protocols?
• What are your firm’s configuration requirements for physical security and technical controls at each branch (e.g., hard drive encryption, virus protection, MFA, patching and removable storage media)? How does your firm monitor these controls? Are these controls reviewed during
branch inspections or monitored through the use of automated tools?
• How does your firm confirm that each of its branches use only secure, encrypted wireless settings for office and home networks?
• If a review of one of your firm’s branches identifies material deficiencies or reported material cybersecurity incidents, how does it confirm that the branch has implemented corrective action?
If your answer to the following question is YES, please complete this tab (Section 8):
1) Does your firm store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial records)
electronically?
Ex-employees/contractors and
ex-vendors/customers access terminated
immediately?
• How frequently and consistently does your firm conduct cybersecurity training? Are all individuals or third parties with access to PII or sesitive firm info at the firm included in
cybersecurity training?
• Is your firm’s training tailored to the cybersecurity training applicable to its business? How does your firm ensure that cyber and IT personnel are trained and kept abreast of the
cybersecurity threat landscape to continuously assess the effectiveness of technical controls?
• Does your firm’s training include simulated phishing exercises to validate employee understandingand track participation metrics? What consequences do employees face if they don’t
pass (e.g., mandatory retraining)?
• Does the training encompass a variety of methods (e.g., reminder emails, online formal training, discussions of actual events)?
• Has your firm considered incorporating a formal or informal evaluation of the staff’s understanding of and compliance with firm cybersecurity requirements into its training program
(i.e., cybersecurity and IT control training needs analysis)?
At the minimum, does your training cover the following areas?
Phishing:
Phishing is one of the most common cybersecurity threats affecting firms – it may take a variety of forms, but all phishing attempts try to convince the recipient to provide information or
take action. The fraudsters typically try to disguise themselves as a trustworthy entity or individual via email, instant message, phone call or other communication, where they request
personally identifiable information (PII) (such as Social Security numbers, usernames or passwords), direct the recipient to click on a malicious link, open an infected attachment or
application, or attempt to initiate a fraudulent wire transfer or transaction. Firms may want to consider asking the following questions, where applicable, with respect to how they
identify, prevent and mitigate phishing attempts:
• Do your firm’s policies and procedures address phishing by, for example:
- identifying phishing emails
- clarifying that staff should not click on any links or open any attachments in phishing emails
- requiring deletion of phishing emails
- developing a process to securely notify Information Technology (IT) administrators or compliance staff of phishing attempts
- implementing additional controls (e.g., customer phone call backs, additional authentication requirements) for money movement requests, especially at higher dollar amounts, to
foreign jurisdictions, and/or to third party bank accounts; and
- ensuring proper resolution and remediation after phishing attacks, and implementation of additional controls to prevent recurrence?
• Has your firm implemented email scanning and filtering to monitor and block phishing and spam communication? Are external emails clearly marked with warning to recipients to
exercise caution with links, attachments and requests for login information? Do your users know how to report suspicious email to the security team?
• Does your firm regularly conduct phishing email campaign simulations to evaluate employee understanding and compliance of its phishing policies and procedures?
Malware:
Malware is a catch-all term for multiple types of malicious software (e.g., viruses, spyware, worms) designed to cause damage to a stand-alone or networked computer. Malware most
often originates from phishing emails where a user clicked on a link or opened an attachment. Once activated, it can mine a firm’s system for PII and sensitive data; erase data; steal
credentials; alter, corrupt or delete a firm’s files and data; take over an email account; and even hijack device operations or computer-controlled hardware. Firms may want to consider
asking the following questions, where applicable, with respect to how they identify, prevent and respond to malware attacks:
• How does your firm train employees to recognize and report cyberattacks involving malware?
• What preventative measures does your firm take (e.g., endpoint malware protection) to defend against malware?
• How does your firm monitor for indications of malware on your firm’s systems?
• How does your firm’s incident response plan address malware infections?
• How does your firm incorporate threat intelligence regarding newly identified instances of viruses or other types of malware into its IT infrastructure?
Section 9 - Detect: Risk Assessment
Risk Assessment in place for Remediation Needed?
Home Office and Branch Tested? Date tested Problems/Vulnerabilities Identified Risk Severity Level (H/M/L) Remediation
Locations: Yes/No Remediation Steps Status
Application Specific
RISK MANAGEMENT:
Consider conducting a risk assessment of your firm and its infrastructure using either external resources or internal staff.
• External testing may include penetration testing while internal testing may include vulnerability assessment.
• Determine the total risk landscape based on your business model and the scope of the systems you want tested considering current and emerging risks and your resources. For example, will the Risk Assessment be limited to identifying
vulnerabilities or will the test attempt to obtain sensitive information from the firm? Will the test include outside threats, mainly the internet or will it also include internal (employee, contractor), or will it include critical third-party
vendor/supply chain vendor? Should the test be done as a surprise without letting employees or users of your system know, or should they be informed?
• After conducting the test, firms should identify vulnerabilities, risk rank them as high, medium, low, and maintain a documented Risk Log. Firm should develop a comprehensive plan to remediate identified risks.
• Risk assessments should include branch locations. In performing risk assessment of their branches, firms should keep in mind that effective technical controls perform many critical functions, such as keeping unauthorized individuals
from gaining access to a system and detecting when a security violation has occurred. However, small firms may not have sufficient resources to ensure adequate safeguards around all possible attack surfaces, especially in today’s
hyperconnected world and ever-changing risk landscape. Small firms can use a cybersecurity risk assessment to determine which threats are most significant for each branch and then identify and implement appropriate technical and
other controls to mitigate those threats.
• Has your firm verified that its critical and sensitive systems have adequate protection and detection controls?
If your answer to the following question is YES, complete this tab (Section 10):
1) Does your firm store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial records) electronically?
Consider an Intrusion Detection System (IDS) and/or Intrusion Prevention System (IPS), which detects or prevents attempts to compromise the confidentiality, integrity or availability of firm systems. Intrusion detection or prevention
products are tools that can assist in protecting a company from intrusion by expanding the options available to manage the risk from threats and vulnerabilities. Intrusion detection and prevention capabilities can help a firm secure its
information. The tool could be used to detect or prevent an intruder, identify and stop the intruder, support investigations to find out how the intruder got in, and stop exploitation by future intruders.
One simple, but effective method for the firm to detect potential threats is to provide firm staff with a mechanism to easily report suspicious cyber activity to the firm for investigation. This could be in the form of a hotline, dedicated
email address or a SPAM button in the firm's email application. For example, if a staff person receives a phishing email and notes it as such, they should contact someone at the firm who can take action to prevent an intrusion before a
colleague clicks on the link.
Are the following controls implemented? If No, assess the risk of not having the controls and decide whether to remediate.
Remediation Needed?
Ransomware
Ransomware attacks are an increasingly common threat for small firms, and can quickly cripple their business operations, as well as expose firms to risks of
data exfiltration and publication. This type of highly sophisticated malware commonly encrypts a firm’s files, databases or applications to prevent firm
employees from accessing them until a ransom demand is paid to the fraudster. Firms may want to consider asking the following questions, where applicable,
with respect to how they identify, prevent and respond to ransomware attacks:
• Has the firm evaluated capabilities to detect and block sophisticated attacks, using tools such as endpoint detection and response (EDR), a host-based
intrusion detection system (HIDS) and a host-based intrusion prevention system (HIPS)?
• Does your firm keep offline backups of systems and data? Are recovery capabilities tested on a regular basis?
• Does your firm’s incident response plan include a scenario for potential ransomware attacks? If so, does your plan address factors such as:
- making cybersecurity insurance claims
- engaging cybersecurity experts to conduct forensics investigations and to assist in recovery efforts
- assessing and mitigating the impact of these attacks; and
- notifying affected parties (e.g., customers, employees, regulators) as required by data breach notification laws applicable to your firm?
If your answer to the following question is YES, complete this tab (Section 11):
1) Does your firm store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial records) electronically?
Section 11 - Response Plan (See more details below in rows )
Response Plan in Risk Severity Level Remediation Needed?
Incident
Place (Y/N)? (H/M/L) Yes/No Remediation Steps Remediation Status
Create communications plan and review with executives. Conduct test on how
Example: Ransomware Attack No High Yes we would respond if we suffered a ransomware attack. In Process
Prepare incident responses to which you are most likely to be subject. The response should include a communication plan to notify your senior executives who need to know about the incident. Firm senior
executives should decide how to contain and mitigate the breach. You should run through different types of incidents you may suffer and plan how you would respond. Firms should prepare incident
responses for those types of incidents to which the firm is most likely to be subject, e.g., loss of customer PII, data corruption, denial of service (DoS) or distributed denial of service (DDoS) attack, network
intrusion, customer account intrusion or malware infection. Types of responses to consider include: full or partial shutdown of systems, disconnect system from the network, delete and reinstall malware, or
disabling a user from system access. You can add to or delete from the list as appropriate to your business. Remenber to report incidents impacting clients and firm to regulators, law enforcement and file
SAR reports as needed.
1) Does your firm store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial records) electronically?
Section 11 - Response Plan (See more details below in rows )
Response Plan in Risk Severity Level Remediation Needed?
Incident
Place (Y/N)? (H/M/L) Yes/No Remediation Steps Remediation Status
Metrics
Activity/Governance Yes/No
1) Does your firm store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial records) electronically?
Section 11 - Response Plan (See more details below in rows )
Response Plan in Risk Severity Level Remediation Needed?
Incident
Place (Y/N)? (H/M/L) Yes/No Remediation Steps Remediation Status
INCIDENT RESPONSE:
Incident response plans can help small firms rapidly and effectivly address cybersecurity events and incidents. Cybersecurity-related incidents may require firms to file a Suspicious Activity Report (SAR) with
the Financial Crimes Enforcement Network (FinCEN), as well as to notify the FBI through their Internet Crime and Complaint Center (IC3) and the Federal Trade Commission (FTC). Firms may want to consider
asking the following questions, where applicable, with respect to how they develop and implement their incident response plans:
• Does your firm maintain an incident response plan to identify and escalate incidents in a timely manner?
• Does your firm have the data inventory, assets inventory, and controls to assess the impact of incidents?
• Does your firm have capabilities for incident detection, containment, mitigation, and recovery either from internal resources or with help from a third party? If from a third party, have you established the
relationship with defined service level agreements (SLAs)?
• What communication plans does your firm prepare for outreach to relevant stakeholders (e.g.,customers, regulators, law enforcement, intelligence agencies, industry information-sharing bodies) if an
incident occurs?
• Do your firm’s post incident reviews aim for improvements, including evaluating the incident management process, policy updates and control effectiveness?
• Have you tested the incident response plan within the past year?
• Has the firm investigated or considered cybersecurity insurance?
If your answer to the following question is YES, complete this tab (Section 12):
5) If your firm's systems, PII or firm sensitive information were made inoperable or stolen, would your firm need to recover them to conduct business?
In recovery, administrators restore systems to normal operation, confirm that the systems are functioning normally, and remediate vulnerabilities to prevent similar incidents.
If the answer to one of the below questions is No, firms should conduct a risk assessment and decide whether to invest in the process to remediate.
Remediation Needed?
Risk Severity
Controls
Level (H/M/L) Remediation
Yes/No Yes/No Remediation Steps Status
Does your firm have regularly scheduled backups to
restore critical data or systems should they be lost in a
cybersecurity incident?
Firm Name: 0
Person(s) Responsible for Cybersecurity Program: 0
Last Updated: (FINRA's last update) Version 1.3 June 2023
Cybersecurity Summary Report: This report consolidates your responses from sections 1-12 and can be used to understand where your cybersecurity risks are, where you may need to dedicate budget
and resources to remediate. This report may also be useful for executive and board level updates. The report includes 10 responses per section. If you would like to add more rows, please contact us
at memberrelations@FINRA.org. Note you can filter your report by clicking on the down arrow on the column you would like to sort, check the boxes for the data you want to display, then click okay.
Firm Name: 0
Person(s) Responsible for Cybersecurity Program: 0
Last Updated: (FINRA's last update) Version 1.3 June 2023
Cybersecurity Summary Report: This report consolidates your responses from sections 1-12 and can be used to understand where your cybersecurity risks are, where you may need to dedicate budget
and resources to remediate. This report may also be useful for executive and board level updates. The report includes 10 responses per section. If you would like to add more rows, please contact us
at memberrelations@FINRA.org. Note you can filter your report by clicking on the down arrow on the column you would like to sort, check the boxes for the data you want to display, then click okay.
Firm Name: 0
Person(s) Responsible for Cybersecurity Program: 0
Last Updated: (FINRA's last update) Version 1.3 June 2023
Cybersecurity Summary Report: This report consolidates your responses from sections 1-12 and can be used to understand where your cybersecurity risks are, where you may need to dedicate budget
and resources to remediate. This report may also be useful for executive and board level updates. The report includes 10 responses per section. If you would like to add more rows, please contact us
at memberrelations@FINRA.org. Note you can filter your report by clicking on the down arrow on the column you would like to sort, check the boxes for the data you want to display, then click okay.
7 Section 8 - Protect: Controls and Staff Training Does your firm define cybersecurity training needs? 0 0 0
Does your firm conduct training in regular intervals (e.g., quarterly or
7 Section 8 - Protect: Controls and Staff Training annually)? 0 0 0
7 Section 8 - Protect: Controls and Staff Training Does your firm use interactive training? 0 0 0
Does training take into account firm specific risks (e.g., phishing
7 Section 8 - Protect: Controls and Staff Training attacks), systems and loss incidents history? 0 0 0
8 Section 9 - Detect: Penetration Testing External (internet) - pen testing 0 0 0
8 Section 9 - Detect: Penetration Testing Internal (intranet, employee or ex-employee) 0 0 0
8 Section 9 - Detect: Penetration Testing Application Specific 0 0 0
Firm Name: 0
Person(s) Responsible for Cybersecurity Program: 0
Last Updated: (FINRA's last update) Version 1.3 June 2023
Cybersecurity Summary Report: This report consolidates your responses from sections 1-12 and can be used to understand where your cybersecurity risks are, where you may need to dedicate budget
and resources to remediate. This report may also be useful for executive and board level updates. The report includes 10 responses per section. If you would like to add more rows, please contact us
at memberrelations@FINRA.org. Note you can filter your report by clicking on the down arrow on the column you would like to sort, check the boxes for the data you want to display, then click okay.
Does your firm have a plan to install patches, change passwords and
11 Section 12 - Recovery tighten network should a cybersecurity incident take place? 0 0 0