Professional Documents
Culture Documents
Firm Name:
Person(s) Responsible for Cybersecurity Program:
Last Date Reviewed:
Key Personnel:
Firm's IT Consultant:
Important:
Legend for Text Entry Fields
Cybersecurity is broadly defined as the protection of investor and firm information from compromise through the use—in whole or in Enter Free Text
part—of information technology. Compromise refers to a loss of data confidentiality, integrity or availability. This checklist is provided Pre-Populated Fields
to assist small member firms with limited resources to establish a cybersecurity program to identify and assess cybersecurity threats, Choose from Drop Down List
protect assets from cyber intrusions, detect when their systems and assets have been compromised, plan for the response when a
compromise occurs and implement a plan to recover lost, stolen or unavailable assets. This checklist is primarily derived from the Locked Down Fields
National Institute of Standards and Technology (NIST) Cybersecurity Framework and FINRA’s Reports on Cybersecurity Practices (See Insert Rows
Resources Tab).
This checklist is not exhaustive and firms should address their cybersecurity program in a way that best suits their business model.
There is no one-size-fits-all cybersecurity program. Firms may choose to develop or use their own checklist, borrow sections from this
checklist to include in their own checklist, or use a different resource (e.g., SIFMA’s small firm check list, NIST guidance, or the Securities
and Exchange Commission’s guidance). Firms that use this checklist must adapt it to reflect their particular business, products, and
customer base. Use of this checklist does not create a "safe harbor" with respect to FINRA rules, federal or state securities laws, or
other applicable federal or state regulatory requirements.
Methodology:
Using this checklist, firms will identify and inventory their information assets, assess the adverse impact to customers and the firm if the
assets were compromised, identify potential protections and processes that secure the assets, and then make a risk-based assessment
considering their resources, the consequences of a potential breach and available protections and safeguards. Firms may decide to
remediate or address some high level risk impact vulnerabilities or they may decide that the threat is a low level risk impact which they
can accept. Firms should articulate why they decided to remediate or chose not to remediate. Completing this checklist will require
time and effort from senior executives at the firm. At a minimum, firms should know the assets that are vulnerable to a cyber-incident,
and they should assign a risk level to these assets. Senior executives will then be informed on how best to allocate firm resources to
protect the firm’s and customers’ information. See questions in the "Procedures for completing this checklist" section below.
Assistance:
At small firms, one person may be responsible for operations, compliance and legal functions including the cybersecurity program, and
he or she may not understand the technology at issue or terms used in this checklist. In this instance, the firm may consider working
with outside technology help, industry trade associations or other peer groups, their vendors or their FINRA Risk Analyst to understand
the information discussed in this checklist. Many small firms rely on clearing firms and vendors to maintyst customer accounts and
transact business but these small firms should not assume that others are responsible for preventing or reacting to a cyber-incident. If
you have any questions or issues with the Checklist please contact cybertech@finra.org.
Using Excel:
This checklist is in Excel and uses Excel formulas. The person completing this checklist should have a basic knowledge of Excel. There are
also many helpful video tutorials on Excel available on YouTube for those who may need assistance with how to use Excel.
Please note: If you need to insert a new row in Section 1, you will also need to insert rows on the other Sections and copy the pre-
existing formulas into the newly inserted cells.
CYBERSECURITY
Checklist for a Small Firm's Cybersecurity Program
Firm Name:
Person(s) Responsible for Cybersecurity Program:
Last Date Reviewed:
Key Personnel:
Firm's IT Consultant:
Procedure for completing this Checklist
Please review the five questions below and based upon your answers, you should complete the sections (12 tabs total) applicable to
your business. The five core sections of the checklist follow the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and
Recover.
Questions about your firm's assets and systems:
1) Do you store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm
sensitive information (e.g. financial records) electronically?
If you answer yes to question 1, you will fill out the following sections of the Cybersecurity Checklist:
Section 1 - Identify and Assess Risks: Inventory
Section 2 - Identify and Assess Risks: Minimize Use
Section 4 - Protect: Information Assets
Section 6 - Protect: Encryption
Section 8 - Protect: Controls and Staff Training
Section 9 - Detect: Penetration Testing
Section 10 - Detect: Intrusion
Section 11 - Response Plan
2) Do you transmit PII or firm sensitive information to a third party, or otherwise allow access to your PII or firm sensitive
information by a third party?
3) Do your employees (or independent contractors) maintain devices that access PII or firm sensitive information?
If you answer yes to question 3, you will fill out:
Section 7 - Protect: Employee Devices
4) Do you have assets that if lost or made inoperable would impact your firm's operations (e.g., trading or order management
systems)?
5) If your systems, PII or firm sensitive information were made inoperable or stolen, would you need to recover them to conduct
business?
Helpful Links:
FINRA Resources:
FINRA's Report on Cybersecurity Practices-2018
FINRA’s Report on Cybersecurity Practices-2015
FINRA List of Common Cybersecurity Threats
FINRA's Core Cybersecurity Controls for Small Firms
FINRA Firm Checklist for Compromised Accounts
Recent Notices
Imposter Websites Impacting Member Firms
Cybersecurity Alert: Cloud-Based Email Account Takeovers
Others:
Center for Internet Security website
NIST Small Business Cybersecurity Corner
NIST Framework Version 1.1
Center for Internet Security - Top 20 CIS Controls & Resources
FFIEC - Cybersecurity Assessment Tool
Homeland Cybersecurity Evaluation Tool for Self Assessment
CSIS -Controlled Use of Administrative Privileges
SysAdmin Audit Network and Security (SANS.Org)
Compilation of States Security Breach Notification Laws
FBI Contact List
Secret Service Contact List
Personally Identifiable information, NIST’s Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (see pages 2-1 and 2-2)
Inventory of PII and Firm Sensitive Information, please see FINRA’s Report on Cybersecurity Practices - 2015 (see pages 12-13)
Asset Inventory, please see FINRA's Report on Selected Cybersecurity Practices - 2018 (see page 3)
Minimizing Collection of PII, NIST’s Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (see pages 4-3)
Risk Assessment, please see FINRA's Report on Cybersecurity Practices - 2015 (see pages 12-15)
Section 6 - Protect-Encryption
Understanding Encryption, FINRA’s Report on Cybersecurity Practices (see pages 20-21)
Data Loss Prevention, please see FINRA's Report on Selected Cybersecurity Practices - 2018 (see page 11)
Section 10 - Detect-Intrusion
NIST's Guide to Intrusion Detection and Prevention Systems (IDPS) final version
Security Information and Event Management (SIEM) and User and Entity Behavioral Analytic (UEBAQ) Tools, FINRA's Report on Selected Cybersecurity Practices - 20
Section 12 - Recovery
Eradication of Cyber breach and Recovery, NIST’s Computer Security Incident Handling Guide (see pages 35-37)
Incident Response Planning, FINRA's Report on Cybersecurity Practices - 2015 (see pages 23-25)
If your answer to the following question is YES, complete this tab (Section 1):
1) Do you store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g.,
financial records) electronically?
Section 1- Identify and Assess Risks: Inventory (Definitions provided below in rows 21-36)
***Risk Severity Level
*Description of PII or Firm Sensitive Data **Location (e.g. Network Drive, Systems Folder, Email) (H/M/L)
Definitions:
Where is personally identifiable information (PII) or firm sensitive information located on your systems or other electronic storage (include your branch
offices and unregistered locations)?
* PII or Firm Sensitive Information – includes name, social security number, date and place of birth, mother’s maiden name, or financial records including
customer accounts and holding information. Firm sensitive information can include data such as contact address information, email addresses, marketing
plans, employee information, financial records, and tax filings, etc. Firms can list data at a group level such as customer account information, or at the
granular level such as social security number, customer name, date of birth etc.
** Location – where the electronic information information is stored, such as on a network drive, system folder, laptop or email. If the same data is stored in
more than one location, complete a separate entry for each location.
*** Risk Severity Level – Assign a risk severity classification to the data (e.g., low, medium or high). There is no one-size-fits-all way to assign risk severity, but
a firm may consider the severity of the impact to customers and the firm if the PII or firm sensitive data were compromised.
Section 2- Identify and Assess Risks: Minimize Use (See more details below in rows 21-29)
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
Have you taken steps to minimize the use and proliferation of PII or firm sensitive data?
* Business objective can be met without data – One way to mitigate risk is to remove the PII or firm sensitive data from your systems and networks. You should consider whether you can do your business without storing
the PII or firm sensitive information in the system or network location. When removing data from your systems and networks, you should keep in mind any books and records obligations you might have with respect to
this data.
** Sharing data – You should consider how the PII or firm sensitive data is shared, identify people or systems that do not require access to the data, and consider limiting access to this data to those who need it.
*** Remediate – If you determine that there is no business purpose to store or share the PII or firms sensitive information, you should remediate by either removing the data from the location or not sharing it. When
removing data from your systems and networks, you should keep in mind any books and records obligations you might have with respect to this data. If you are required to store and share the data, you should consider
the risk severity of the data being compromised and consider whether a business practice could be changed to mitigate the risk (e.g., if a business process involves using a customer’s social security number, change the
process to use another customer specific identifier rather than the social security number).
Have you taken steps to minimize the use and proliferation of PII or firm sensitive data?
*If Business
your answer to the can
objective following
be metquestion
withoutisdata
YES,–complete
One way this tab (Section
to mitigate risk is2):
to remove the PII or firm sensitive data from your systems and networks. You should consider whether you can do your business without storing
the
1) DoPII you
or firm sensitive
store, use orinformation in the system
transmit personally or network
identifiable location.(PII)
information When removing
(e.g., data from
social security your systems
numbers or dateand networks,
of birth) yousensitive
or firm should keep in mind (e.g.,
information any books and records)
financial records obligations you might have with respect to
electronically?
this data.
Sectiondata
** Sharing data – You should consider how the PII or firm sensitive 2- Identify
is shared,and Assess
identify Risks:
people Minimize
or systems Use
that do (See more details
not require access tobelow in rows
the data, 21-29) limiting access to this data to those who need it.
and consider
** Business
*** Remediate – If you determine that there is no business purpose to store or share the PII or firms sensitive information, objective
you should can be by either removing the data
remediate from the location
***Remediation or not sharing it. When
Needed?
removing data from your systems and networks, you Location
should(e.g.
keepNetwork
in mind any books and records*Business objective
obligations you mightaccomplished without
have with respect datadata. If you are required to store and share the data, you should consider
to this
PII or of
Firm Risk Severity Level
the risk severity theSensitive Data
data being Drive,
compromised and Systems
consider Folder,
whether practice couldcan
a business(H/M/L) be met without
be changed being
to mitigate theoutput or shared
risk (e.g., with process involves using a customer’s social security number, change the
if a business
Email)
process to use another customer specific identifier rather than the social security number). data (Y/N)? other internal systems or
people (Y/N)? Remediation
Yes/No Remediation Steps Status
If your answer to the following question is YES, complete this tab (Section 3):
2) Do you transmit PII or firm sensitive information to a third party, or otherwise allow access to your PII or firm sensitive information by a third party?
Section 3- Identify and Assess Risks: Third Party (See more details below in rows 21-35)
Bank
Clearing Firm
Third-Party Risk Management: Do you transmit PII or firm sensitive information to a third party, or otherwise allow access to your PII or firm sensitive information by a third party? (e.g., your vendors, clearing firm, customers, etc.)?
Section 3- Identify and Assess Risks: Third Party (See more details below in rows 21-35)
Section 3- Identify and Assess Risks: Third Party (See more details below in rows 21-35)
Ex-vendors/customers' access
terminated immediately
Breach notifications
Right-to-audit clauses
Use of subcontractors
Section 3- Identify and Assess Risks: Third Party (See more details below in rows 21-35)
Section 4- Protect: Information Assets (See more details below in rows 21-27)
^^ Remediation Needed?
* Password Protection ** Malware/Anti- ^ List other protections
Location (e.g., Network Risk Severity Installed and Password
PII or Firm Sensitive Data Drive, Systems Folder, Email) Level (H/M/L) Reset From Default Virus Protection (e.g., firewalls used to
Installed (Y/N)? protect assets)
(Y/N)? Remediation
Yes/No Remediation Steps Status
Group Level Example: Customer Account
Information Network Drive High
Granular Example: Customer SS# G Drive High
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
* Password Protection – Are the systems where you store, use, or transmit PII or firm sensitive data password protected? If so, have you reset from the default password?
** Malware/Anti-Virus Protection – Do you install and regularly update malware or anti-virus software?
^ Other Protections – Do you use other protections like firewalls to protect information?
^^ Remediate – You should conduct a risk assessment of the strength of the protections considered with the assigned risk severity level, together with your resources and consider whether protections should be enhanced (e.g., include stronger
password requirements, installing malware or anti-virus protections or other system protections).
Section 4- Protect: Information Assets (See more details below in rows 21-27)
^^ Remediation Needed?
* Password Protection ** Malware/Anti- ^ List other protections
Location (e.g., Network Risk Severity Installed and Password
PII or Firm Sensitive Data Drive, Systems Folder, Email) Level (H/M/L) Reset From Default Virus Protection (e.g., firewalls used to
Installed (Y/N)? protect assets)
(Y/N)? Remediation
Yes/No Remediation Steps Status
Do you have a process in place defining and implementing a password policy, educating users and regularly updating malware and anti-
virus software?
Remediation Needed?
Remediation
Policy Yes/No Yes/No Remediation Steps Status
Multi-Factor Authentication
List system assets that are important to your operations (e.g., trading or order management systems or systems maintaining customer account information):
Remediation
Remediation Steps Status
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
Encryption is the process of encoding messages or information in such a way that only authorized parties can read it.
Have you taken steps to encrypt the data?
* Encrypted in transit to external sources – Data can be a shared in many ways including an email to someone external to the firm, over the internet, and between client and a server, between two servers, between two networks etc. If the
firm prohibits PII from being transmitted to external sources, the firm should note this in the remediation steps.
** Internal use – Data is stored in many places within an organization, including on file servers, on workstations and on portable media such as thumb drives. Data is also shared internally via email between two employees, for example.
*** Encrypted at backup – Data is often stored in a non-network or non-system media which can be lost or stolen.
^ Has it been masked when displayed – Data such as social security numbers can be masked whenever displayed to a person accessing that data.
^^ Remediate – After identifying where data is encrypted and where it is not, you should consider the risk severity level and its resources, and decide what remediation steps to take, if any, including encrypting all outgoing emails or all
emails, encrypting all PII and firm sensitive information at rest or in storage, or masking the data when it is displayed.
If your answer to the following question is YES, complete this tab (Section 6):
1) Do you store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial records) electronically?
* Access to PII and Firm Sensitive Data – Does the device have access to PII and firm sensitive data?
** Risk Severity Level – Assign a risk severity level to the PII or firm sensitive information the internal person can access considering the impact to customers and the firm if the information were compromised.
^ Protected/Encrypted – Are devices secured with passwords? Is data encrypted if lost?
^^ Remediate – You should take into account the access to PII and firm sensitive information and the risk severity of compromise, and conduct a risk assessment of whether to deny access to all or part of the PII or firm sensitive information, protect the information better by encrypting
the data and having the ability to remove all data from a device if it is lost or stolen.
If your answer to the following question is YES, please complete this tab (Section 8):
1) Do you store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial records)
electronically?
External (internet)
Application Specific
Consider conducting a Third-Party Penetration Test of your infrastructure or using existing staff to conduct a penetration test. Determine the scope of the systems you want tested taking into account risks and your resources. For
example, will penetration testing be limited to identifying vulnerabilities or will the penetration test attempt to obtain sensitive information from the firm? Will the test include outside threats, mainly the internet or will it also include
internal (employee/vendor) tests? Should the test be done as a surprise without letting employees or users of your system know, or should you inform them? After conducting the test, firms should identify vulnerabilities and conduct a
risk assessment of whether to remediate.
If your answer to the following question is YES, complete this tab (Section 10):
1) Do you store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial records) electronically?
You should consider having an Intrusion Detection System (IDS) and or Intrusion Prevention System (IPS) which detects or prevents attempt to compromise the confidentiality, integrity or availability of your systems. Intrusion
detection or prevention products are tools that can assist in protecting a company from intrusion by expanding the options available to manage the risk from threats and vulnerabilities. Intrusion detection and prevention capabilities can
help a company secure its information. The tool could be used to detect or prevent an intruder, identify and stop the intruder, support investigations to find out how the intruder got in, and stop exploitation by future intruders. If the
answer is No, you should conduct a risk assessment on whether to invest in an IDS/IPS.
A very simple, but effective method for the firm to detect vulnerabilities is to inform staff to report suspicion of intrusion to the person who manages the firm's technology assets. This could be in the form of a hotline or email. For
example, if a staff person receives a phishing email and notes it as such, they should contact someone at the firm who can take action to prevent an intrusion before a colleague clicks on the link.
Are the following controls implemented? If No, assess the risk of not having the controls and decide whether to remediate.
Remediation Needed?
1) Do you store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial records) electronically?
Section 11 - Response Plan (See more details below in rows )
Response Plan in Risk Severity Level Remediation Needed?
Incident
Place (Y/N)? (H/M/L) Yes/No Remediation Steps Remediation Status
Create communications plan and review with executives. Conduct test on how
Example: Ransomware Attack No High Yes we would respond if we suffered a ransomware attack. In Process
Prepare incident responses to which you are most likely to be subject. The response should include a communication plan to notify your senior executives who need to know about the incident. Firm senior
executives should decide how to contain and mitigate the breach. You should run through different types of incidents you may suffer and plan how you would respond. Firms should prepare incident
responses for those types of incidents to which the firm is most likely to be subject, e.g., loss of customer PII, data corruption, denial of service (DoS) or distributed denial of service (DDoS) attack, network
intrusion, customer account intrusion or malware infection. Types of responses to consider include: full or partial shutdown of systems, disconnect system from the network, delete and reinstall malware, or
disabling a user from system access. You can add to or delete from the list as appropriate to your business.
1) Do you store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial records) electronically?
Section 11 - Response Plan (See more details below in rows )
Response Plan in Risk Severity Level Remediation Needed?
Incident
Place (Y/N)? (H/M/L) Yes/No Remediation Steps Remediation Status
Metrics
Activity/Governance Yes/No
Do you maintain a list of cybersecurity
incidents? (i.e., phishing, stolen device,
etc.)
In recovery, administrators restore systems to normal operation, confirm that the systems are functioning normally, and remediate vulnerabilities to prevent similar incidents.
If the answer to one of the below questions is No, firms should conduct a risk assessment and decide whether to invest in the process to remediate.
Remediation Needed?
Risk Severity
Controls
Level (H/M/L) Remediation
Yes/No Yes/No Remediation Steps Status
Do you have regularly scheduled backups to restore
critical data or systems should they be lost in a cyber-
incident?
Firm Name: 0
Person(s) Responsible for Cybersecurity Program: 0
Last Updated: (FINRA's last update) Version 1.2 June 2020
Cybersecurity Summary Report: This report consolidates your responses from sections 1-12 and can be used to understand where your cybersecurity risks are, where you may need to dedicate
budget and resources to remediate, and where you can choose to accept the risk. This report may also be useful for executive and board level updates. The report includes 10 responses per section.
If you would like to add more rows, please contact us at memberrelations@FINRA.org. Note you can filter your report by clicking on the down arrow on the column you would like to sort, check the
boxes for the data you want to display, then click okay.
Firm Name: 0
Person(s) Responsible for Cybersecurity Program: 0
Last Updated: (FINRA's last update) Version 1.2 June 2020
Cybersecurity Summary Report: This report consolidates your responses from sections 1-12 and can be used to understand where your cybersecurity risks are, where you may need to dedicate
budget and resources to remediate, and where you can choose to accept the risk. This report may also be useful for executive and board level updates. The report includes 10 responses per section.
If you would like to add more rows, please contact us at memberrelations@FINRA.org. Note you can filter your report by clicking on the down arrow on the column you would like to sort, check the
boxes for the data you want to display, then click okay.
Firm Name: 0
Person(s) Responsible for Cybersecurity Program: 0
Last Updated: (FINRA's last update) Version 1.2 June 2020
Cybersecurity Summary Report: This report consolidates your responses from sections 1-12 and can be used to understand where your cybersecurity risks are, where you may need to dedicate
budget and resources to remediate, and where you can choose to accept the risk. This report may also be useful for executive and board level updates. The report includes 10 responses per section.
If you would like to add more rows, please contact us at memberrelations@FINRA.org. Note you can filter your report by clicking on the down arrow on the column you would like to sort, check the
boxes for the data you want to display, then click okay.
7 Section 8 - Protect: Controls and Staff Training Do you define cybersecurity training needs? 0 0 0
Do you conduct training in regular intervals (e.g., quarterly or
7 Section 8 - Protect: Controls and Staff Training annually)? 0 0 0
7 Section 8 - Protect: Controls and Staff Training Do you develop interactive training? 0 0 0
Does training take into account firm specific risks, systems and loss
7 Section 8 - Protect: Controls and Staff Training incidents history? 0 0 0
8 Section 9 - Detect: Penetration Testing External (internet) 0 0 0
8 Section 9 - Detect: Penetration Testing Internal (intranet, employee or ex-employee) 0 0 0
8 Section 9 - Detect: Penetration Testing Application Specific 0 0 0
9 Section 10 - Detect: Intrusion Intrusion Detection System/ Intrusion Prevention System (IDS/IPS) 0 0 0
10 Section 11 - Response Plan Example: Ransomware Attack High Yes In Process
10 Section 11 - Response Plan 0 0 0 0
10 Section 11 - Response Plan 0 0 0 0
10 Section 11 - Response Plan 0 0 0 0
10 Section 11 - Response Plan 0 0 0 0
10 Section 11 - Response Plan 0 0 0 0
10 Section 11 - Response Plan 0 0 0 0
10 Section 11 - Response Plan 0 0 0 0
10 Section 11 - Response Plan 0 0 0 0
10 Section 11 - Response Plan 0 0 0 0
Cybersecurity Summary Report
Firm Name: 0
Person(s) Responsible for Cybersecurity Program: 0
Last Updated: (FINRA's last update) Version 1.2 June 2020
Cybersecurity Summary Report: This report consolidates your responses from sections 1-12 and can be used to understand where your cybersecurity risks are, where you may need to dedicate
budget and resources to remediate, and where you can choose to accept the risk. This report may also be useful for executive and board level updates. The report includes 10 responses per section.
If you would like to add more rows, please contact us at memberrelations@FINRA.org. Note you can filter your report by clicking on the down arrow on the column you would like to sort, check the
boxes for the data you want to display, then click okay.
11 Section 12 - Recovery Do you have a plan to replace compromised files with clean versions? 0 0 0
Do you have a plan to install patches, change passwords and tighten
11 Section 12 - Recovery network should a cyber-incident take place? 0 0 0