FINRA Cybersecurity Checklist

finra cybersecurity checklist
finra cybersecurity checklist

Even the Financial Industry Regulatory Authority, or FINRA, has established a track record for paying close attention to investment and financial firms. As a result, you can better ensure your ability to stay in FINRA compliance. You should obtain and use the FINRA Cybersecurity Checklist available on their website.

Under the FINRA compliance duties, cybersecurity is broadly defined as the protection of investor and company information against compromise through the use –in whole or part–of information technology.

Compromise is a term that refers to a loss of data confidentiality, availability, or integrity. The FINRA checklist is designed to assist small member companies with limited resources in developing a cybersecurity plan to identify and evaluate cybersecurity threats, protect assets from cyber intrusions, determine if their assets and systems have been compromised, devise a response strategy if a compromise occurs, and then implement a plan to recover stolen, lost, or inaccessible investments.

The National Institute of Standards and Technology (NIST) Cybersecurity Framework and FINRA’s Report on Cybersecurity Practices were used to compile this report. To gain a more in-depth discussion on the areas described below, please review the NIST framework and the FINRA Report.

This checklist isn’t exhaustive, and businesses should approach their cybersecurity application in the way that best suits their company model. There is no such thing as a one-size-fits-all cybersecurity solution.

Businesses may choose to create or use their own checklist, borrow portions from this checklist to include in their own list, or use another source (for example, SIFMA’s small business checklist, NIST advise, or the Securities and Exchange Commission’s recommendations). Businesses who use this record must adapt it to reflect their unique firm, goods, and customer base.

Please note that using this checklist does not create a “safe harbour” for FINRA principles, state or federal securities laws, or any other federal or state regulatory requirements.


Companies will identify and stock their electronic assets using the FINRA small business cybersecurity checklist, evaluate the negative impact to clients and the company if the resources were compromised, identify possible protections and procedures to secure the resources, and then make a risk-based appraisal considering their assets, the impacts of a potential breach, and available protections and shields.

Businesses may decide to remedy or address a few high-risk influence safety vulnerabilities, or they may decide that the risk is a low-level hazard impact that they are willing to accept. Businesses should explain why they chose to remediate or why they chose not to remediate.

Senior executives in your organization will need to put in some work and time to complete the FINRA small business cybersecurity checklist. Companies must at the very least be aware of the resources that are vulnerable to a cyber-attack, and they must assign a threat level to those assets. The company’s and clients’ data will subsequently be protected by senior executives being taught on how to manage company resources. For questions, see the list below.


In small firms, one person may be responsible for all operations, legal, and compliance matters, including the cybersecurity application. They may be unfamiliar with the technologies involved or the terms used in the FINRA small business cybersecurity checklist. To understand the data addressed in this checklist, the company might consider collaborating with external technology help (from which KalioTekTM is derived), business organisations or other peer classes, their sellers, or their own FINRA Regulatory Coordinator. Many small businesses rely on clearing houses and sellers to keep their clients happy and their business running. However, these tiny businesses should not assume that other individuals are in charge of preventing or responding to cyber-attacks.

“This listing is currently in Excel, and it makes use of Excel formulas.” The person who fills out this form must have a basic comprehension of Excel. If no one in your company possesses these skills, please send an email to to schedule a phone call. Additionally, YouTube has a plethora of Excel video tutorials.

Please note that if you want to add a new row to Section 1, you’ll have to add rows to the other Sections as well, and you’ll have to copy the old formulas in the newly added cells.”

Questions from the FINRA Small Business Cybersecurity Checklist

Please answer the five questions below, and then complete the segments (12 tabs total) that are relevant to your business based on your answers. The NIST Cybersecurity Framework is followed by the five basic components of this listing: Identify, Protect, Detect, Respond, and Recover.

The following are some of the questions that will be asked about your company’s resources and systems:

Tips for Completing the 12 Sections of the Checklist

The following pointers aren’t meant to be comprehensive directions for completing each element of the checklist. Instead, many of these suggestions are based on the questions I’m frequently asked when assisting clients with this checklist.

Section 1: Risk Identification and Assessment – Inventory

The first two columns inquire about your company’s data and where it is kept: Examining the information you collect from a new client is a smart place to start. What kind of information do you gather and where does it go?

The third column asks you to rate the level of risk: There are three levels of difficulty: high, medium, and low. To do so, assess the possible level of harm to those whose personal financial information fell into the hands of a criminal or was made public.
Screenshot from Section 1

Section 2: Assess and Identify Risks – Minimize Use

This is a follow-up to your Section 1 entries: Determine whether your company: 1. requires it, and/or 2. requires it to be shared for each data category you submitted.

You might be shocked at how much information you get that you don’t require. Get rid of that information and the risk it poses.

Section 3: Assessing and Identifying Risks – Third Parties

Don’t limit yourself to third parties whose employees have access to your information, such as your IT services provider, accountant, or payroll service. Include vendors of data storage and transfer products and services, such as Dropbox,, or Salesforce.
Vendor management steps should be performed according to the checklist-within-a-checklist commencing at row 62.

Section 4: Protect – Information Assets

Enter how each “information asset” is safeguarded for each sensitive data category you defined in Section 1. But, once you’ve done that, consider whether the safeguards are effective.


  • Is your site password-protected? If that’s the case, have you changed the default password?
  • Do you have any anti-malware, anti-virus, or firewall software installed? Have you installed all of the updates/patches?

Section 5: Protect – System Assets

In this case, the asset is data, rather than the traditional notion of “asset” for financial services professionals. The “system,” such as your CRM, HR, or project management software, is what stores and/or processes the data.

Section 6: Protect – Encryption

The footnotes are useful for teaching some encryption fundamentals, but if you’re not a cybersecurity specialist, this is an excellent section to seek assistance from your IT personnel or a provider.
When transferring data via internal email, most small businesses (and even large businesses) do not encrypt it. Microsoft and other email platform providers have tools in place to protect this type of information. Again, seek assistance in putting these safeguards in place.

Section 7: Protect – Employee Devices

List all devices that have access to personally identifiable information in this section (PII). This includes personal devices used by employees to check their work email, such as cellphones and tablets.

You must also specify how each device is secured. Encrypting your data and erasing sensitive data from terminated employees’ devices should be among your security measures. Consider prohibiting employees from saving any business information to their mobile devices.

Section 8: Protect – Staff Training and Controls

Although there are no specific sorts of cybersecurity training mentioned in the training section, there is one area you should think about: how to recognise phishing efforts. Phishing is the quickest technique for a hacker to gain access to your system. Regular simulated phishing emails should be included in training to assess how well it is working.

You’ll be asked if you keep track of who has access to your system, including workers and vendors. However, everyone with administrative access, including those with email system admin capabilities, should be monitored. Hackers want admin accounts because they provide them the most access to your personal information. Also, make sure that any admin account has two-factor authentication enabled.

Section 9: Detect – Penetration Testing

Penetration testing, often known as “white hat” hacking, is when good folks try to imitate bad guys in order to uncover flaws in your IT system that need to be fixed.

Section 10: Intrusion Detection

If you have an intrusion detection system, this section is for you (IDS). The following is the English translation of the checklist’s IDS description: It’s essentially a paid subscription service that you install on your firewall.

Ask about the IDS and whether it includes the “IDS Controls” that begin on row 21 if you have an outside IT vendor monitoring your network.

Section 11: Emergency Action Plan

This is another area where you should probably seek professional assistance. However, read it since it contains valuable advice about how to respond in the event of a data breach.

The meat of this section doesn’t come until line 38, when you’ll find a discussion of potential attacks and links to useful resources. A checklist of critical “governance” steps should begin on line 79 (such as purchasing cyber liability insurance!).

Section 12: Recovery

This section on recovery — what to do after a cyber attack — is a wonderful primer on the six controls you should have in place before a cyber attack.
Line 13’s control is translated as follows: Use continuous network monitoring to log odd network behaviour so you can identify if you’re prone to being hit in the same way again if something awful happens.

Why Ignoring This Checklist Is a Bad Idea?

Checklists for cybersecurity are probably nothing new to you. Some of my clients claim they haven’t paid attention to them because they feel their parent firm, broker-dealer, or another entity higher up the corporate ladder is in charge of all cyber security.

This is almost never the case. If a data leak leads in a lawsuit, and you can’t establish that business had a sound cybersecurity plan in place when the breach occurred, it might be a very costly mistake.

This FINRA checklist necessitates more than simply ticking yes or no on a long list of cybersecurity procedures; it necessitates a significant amount of time and work. That, though, is a positive thing.

You’ll have the foundations of a robust cybersecurity programme if you collaborate with your IT team and/or vendors to finish this paper.
SANS Critical Safety Controls for Effective Cyber Defense FINRA Report on Cybersecurity Practices

If you download and incorporate the FINRA small business cybersecurity checklist into your investment or financial company’s cybersecurity rules, you’ll realise that there’s a lot more to it.

We can assist you in fully comprehending and using everything included inside this text.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.