Smallfirm Cybersecurity Checklist

CYBERSECURITY
Checklist for a Small Firm's Cybersecurity Program
Firm Name:
Person(s) Responsible for Cybersecurity Program:
Last Date Reviewed:
Key Personnel:
Firm's IT Consultant:
Last Updated: (FINRA's last update) Version 1.2 June 2020
Cybersecurity Checklist Version 1.2 June 2020 Release Notes:

-Added new links and updated some links to Overview and Resources tabs
-Updated existing links to include the latest version of content in Overview and Resources tabs
Important:
Legend for Text Entry Fields
Cybersecurity is broadly defined as the protection of investor and firm information from compromise through the use—in whole or in Enter Free Text
part—of information technology. Compromise refers to a loss of data confidentiality, integrity or availability. This checklist is provided Pre-Populated Fields
to assist small member firms with limited resources to establish a cybersecurity program to identify and assess cybersecurity threats, Choose from Drop Down List
protect assets from cyber intrusions, detect when their systems and assets have been compromised, plan for the response when a
compromise occurs and implement a plan to recover lost, stolen or unavailable assets. This checklist is primarily derived from the Locked Down Fields
National Institute of Standards and Technology (NIST) Cybersecurity Framework and FINRA’s Reports on Cybersecurity Practices (See Insert Rows
Resources Tab).
Using this checklist is optional:
This checklist is not exhaustive and firms should address their cybersecurity program in a way that best suits their business model.
There is no one-size-fits-all cybersecurity program. Firms may choose to develop or use their own checklist, borrow sections from this
checklist to include in their own checklist, or use a different resource (e.g., SIFMA’s small firm check list, NIST guidance, or the Securities
and Exchange Commission’s guidance). Firms that use this checklist must adapt it to reflect their particular business, products, and
customer base. Use of this checklist does not create a "safe harbor" with respect to FINRA rules, federal or state securities laws, or
other applicable federal or state regulatory requirements.
Methodology:
Using this checklist, firms will identify and inventory their information assets, assess the adverse impact to customers and the firm if the
assets were compromised, identify potential protections and processes that secure the assets, and then make a risk-based assessment
considering their resources, the consequences of a potential breach and available protections and safeguards. Firms may decide to
remediate or address some high level risk impact vulnerabilities or they may decide that the threat is a low level risk impact which they
can accept. Firms should articulate why they decided to remediate or chose not to remediate. Completing this checklist will require
time and effort from senior executives at the firm. At a minimum, firms should know the assets that are vulnerable to a cyber-incident,
and they should assign a risk level to these assets. Senior executives will then be informed on how best to allocate firm resources to
protect the firm’s and customers’ information. See questions in the "Procedures for completing this checklist" section below.
Assistance:
At small firms, one person may be responsible for operations, compliance and legal functions including the cybersecurity program, and
he or she may not understand the technology at issue or terms used in this checklist. In this instance, the firm may consider working
with outside technology help, industry trade associations or other peer groups, their vendors or their FINRA Risk Analyst to understand
the information discussed in this checklist. Many small firms rely on clearing firms and vendors to maintyst customer accounts and
transact business but these small firms should not assume that others are responsible for preventing or reacting to a cyber-incident. If
you have any questions or issues with the Checklist please contact cybertech@finra.org.
Using Excel:
This checklist is in Excel and uses Excel formulas. The person completing this checklist should have a basic knowledge of Excel. There are
also many helpful video tutorials on Excel available on YouTube for those who may need assistance with how to use Excel.
Please note: If you need to insert a new row in Section 1, you will also need to insert rows on the other Sections and copy the pre-
existing formulas into the newly inserted cells.
CYBERSECURITY
Checklist for a Small Firm's Cybersecurity Program
Firm Name:
Person(s) Responsible for Cybersecurity Program:
Last Date Reviewed:
Key Personnel:
Firm's IT Consultant:
Procedure for completing this Checklist
Please review the five questions below and based upon your answers, you should complete the sections (12 tabs total) applicable to
your business. The five core sections of the checklist follow the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and
Recover.
Questions about your firm's assets and systems:
1) Do you store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm
sensitive information (e.g. financial records) electronically?
If you answer yes to question 1, you will fill out the following sections of the Cybersecurity Checklist:
Section 1 - Identify and Assess Risks: Inventory
Section 2 - Identify and Assess Risks: Minimize Use
Section 4 - Protect: Information Assets
Section 6 - Protect: Encryption
Section 8 - Protect: Controls and Staff Training
Section 9 - Detect: Penetration Testing
Section 10 - Detect: Intrusion
Section 11 - Response Plan
2) Do you transmit PII or firm sensitive information to a third party, or otherwise allow access to your PII or firm sensitive
information by a third party?
If you answer yes to question 2, you will fill out:

Section 3 - Identify and Assess Risks: Third Party Access
3) Do your employees (or independent contractors) maintain devices that access PII or firm sensitive information?
Section 7 - Protect: Employee Devices
4) Do you have assets that if lost or made inoperable would impact your firm's operations (e.g., trading or order management
systems)?

Section 5 - Protect: Systems Assets
5) If your systems, PII or firm sensitive information were made inoperable or stolen, would you need to recover them to conduct
business?

Section 12 - Recovery
How to print current section (tab):
From the top left, click File, then click Print, then under Setting, select Print Active Sheets, then click Print
How to print all sections (Entire Workbook):

From the top left, click File, then click Print, then under Setting, > Print Active Sheets, select Print Entire Workbook, then click
Print
How to save my excel file:

From top left, click File, then click Save As, select a location to save, type in selected file name, then click Save
Helpful Links:
FINRA Resources:
FINRA's Report on Cybersecurity Practices-2018
FINRA’s Report on Cybersecurity Practices-2015
FINRA List of Common Cybersecurity Threats
FINRA's Core Cybersecurity Controls for Small Firms
FINRA Firm Checklist for Compromised Accounts
Recent Notices
Imposter Websites Impacting Member Firms
Cybersecurity Alert: Cloud-Based Email Account Takeovers
Others:
Center for Internet Security website
NIST Small Business Cybersecurity Corner
NIST Framework Version 1.1
Center for Internet Security - Top 20 CIS Controls & Resources
FFIEC - Cybersecurity Assessment Tool
Homeland Cybersecurity Evaluation Tool for Self Assessment
CSIS -Controlled Use of Administrative Privileges
SysAdmin Audit Network and Security (SANS.Org)
Compilation of States Security Breach Notification Laws
FBI Contact List
Secret Service Contact List
Section 1 - Identify and Assess Risks-Inventory
Personally Identifiable information, NIST’s Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (see pages 2-1 and 2-2)
Inventory of PII and Firm Sensitive Information, please see FINRA’s Report on Cybersecurity Practices - 2015 (see pages 12-13)
Asset Inventory, please see FINRA's Report on Selected Cybersecurity Practices - 2018 (see page 3)
Section 2 - Identify and Assess Risks-Minimize Use
Minimizing Collection of PII, NIST’s Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (see pages 4-3)
Risk Assessment, please see FINRA's Report on Cybersecurity Practices - 2015 (see pages 12-15)
Section 3 - Identify and Assess Risks-Third Party

Vendor Management, FINRA’s Report on Cybersecurity Practices (see pages 26-30)
AICPA Reporting on Controls at Service Organization (SSAE 18)
2020 Standardized Information Gathering (SIG) Tools (Questionnaire firms can use for collecting information on vendors
Insider Threats, please see FINRA's Report on Selected Cybersecurity Practices - 2018 (see pages 8-12)
Section 4 - Protect-Information Assets
NIST's Guide to Malware Incident Prevention and Handling (see sections 3 & 4)
Technical Controls, please see FINRA's Report on Selected Cybersecurity Practices - 2018 (see pages 16-22)
Section 5 - Protect-System Assets

Identifying Critical Assets to Protect, FINRA’s Report on Cybersecurity Practices for a discussion on conducting the inventory (see page 12)
Section 6 - Protect-Encryption
Understanding Encryption, FINRA’s Report on Cybersecurity Practices (see pages 20-21)
Data Loss Prevention, please see FINRA's Report on Selected Cybersecurity Practices - 2018 (see page 11)
Section 7 - Protect-Employees Devices

Securing Mobile Devices, SANS Institute on Cybersecurity The Critical Security Controls for Effective Cyber Defense Version 5.0 (see page 19)
Mobile Devices, please see FINRA's Report on Selected Cybersecurity Practices - 2018 (see pages 14-16)
Section 8 - Protect- Controls and Staff Training

Vendor Management, FINRA’s Report on Cybersecurity Practices (see pages 31-33)
Staff Training, FINRA's Report on Cybersecurity Practices - 2015 (see pages 31-33)
Section 9 - Detect-Penetration Testing

Conducting Penetration Testing, NIST’s Technical Guide to Information Security Testing and Assessment
FINRA’s Report on Cybersecurity Practices (see pages 21-22)
Penetration Testing, please see FINRA's Report on Selected Cybersecurity Practices - 2018 (see pages 13-14)
Section 10 - Detect-Intrusion
NIST's Guide to Intrusion Detection and Prevention Systems (IDPS) final version
Security Information and Event Management (SIEM) and User and Entity Behavioral Analytic (UEBAQ) Tools, FINRA's Report on Selected Cybersecurity Practices - 20
Section 11 - Response Plan

Issues to Consider when Developing a Response Plan, FINRA’s Report on Cybersecurity Practice (see pages 23-25)
Incident Response Planning, FINRA's Report on Cybersecurity Practices - 2015 (see pages 23-25)
Section 12 - Recovery
Eradication of Cyber breach and Recovery, NIST’s Computer Security Incident Handling Guide (see pages 35-37)
Incident Response Planning, FINRA's Report on Cybersecurity Practices - 2015 (see pages 23-25)
If your answer to the following question is YES, complete this tab (Section 1):
1) Do you store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g.,
financial records) electronically?
Section 1- Identify and Assess Risks: Inventory (Definitions provided below in rows 21-36)
***Risk Severity Level
*Description of PII or Firm Sensitive Data **Location (e.g. Network Drive, Systems Folder, Email) (H/M/L)
Group Level Example: Customer Account Information Network Drive High
Granular Example: Customer SS# G Drive High
Definitions:
Where is personally identifiable information (PII) or firm sensitive information located on your systems or other electronic storage (include your branch
offices and unregistered locations)?
* PII or Firm Sensitive Information – includes name, social security number, date and place of birth, mother’s maiden name, or financial records including
customer accounts and holding information. Firm sensitive information can include data such as contact address information, email addresses, marketing
plans, employee information, financial records, and tax filings, etc. Firms can list data at a group level such as customer account information, or at the
granular level such as social security number, customer name, date of birth etc.
** Location – where the electronic information information is stored, such as on a network drive, system folder, laptop or email. If the same data is stored in
more than one location, complete a separate entry for each location.
*** Risk Severity Level – Assign a risk severity classification to the data (e.g., low, medium or high). There is no one-size-fits-all way to assign risk severity, but
a firm may consider the severity of the impact to customers and the firm if the PII or firm sensitive data were compromised.
Directions on inserting new rows:

Select a row in orange and right-click on the row number; choose "Insert." If you insert row(s) on Section 1, remember to also insert row(s) for Sections 2, 4,
6, and Summary. Once you have inserted the row(s) in Sections 2, 4, 6, and Summary, you will need to copy the formula from that Section into the newly
created row(s). Do this by right-clicking on an existing row and choosing copy, then selecting the new row(s) and right-clicking and choosing paste. If you
have any questions feel free to email us at cybertech@finra.org
1) Do you store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial records) electronically?
Section 2- Identify and Assess Risks: Minimize Use (See more details below in rows 21-29)
** Business objective can be ***Remediation Needed?

Location (e.g. Network *Business objective accomplished without data
Risk Severity Level
PII or Firm Sensitive Data Drive, Systems Folder, (H/M/L) can be met without being output or shared with
Email) data (Y/N)? other internal systems or
people (Y/N)? Remediation
Yes/No Remediation Steps Status
Group Level Example: Customer Account

Information Network Drive High No N/A
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
Have you taken steps to minimize the use and proliferation of PII or firm sensitive data?
* Business objective can be met without data – One way to mitigate risk is to remove the PII or firm sensitive data from your systems and networks. You should consider whether you can do your business without storing
the PII or firm sensitive information in the system or network location. When removing data from your systems and networks, you should keep in mind any books and records obligations you might have with respect to
this data.
** Sharing data – You should consider how the PII or firm sensitive data is shared, identify people or systems that do not require access to the data, and consider limiting access to this data to those who need it.
*** Remediate – If you determine that there is no business purpose to store or share the PII or firms sensitive information, you should remediate by either removing the data from the location or not sharing it. When
removing data from your systems and networks, you should keep in mind any books and records obligations you might have with respect to this data. If you are required to store and share the data, you should consider
the risk severity of the data being compromised and consider whether a business practice could be changed to mitigate the risk (e.g., if a business process involves using a customer’s social security number, change the
process to use another customer specific identifier rather than the social security number).
Have you taken steps to minimize the use and proliferation of PII or firm sensitive data?
*If Business
your answer to the can
objective following
be metquestion
withoutisdata
YES,–complete
One way this tab (Section
to mitigate risk is2):
to remove the PII or firm sensitive data from your systems and networks. You should consider whether you can do your business without storing
the
1) DoPII you
or firm sensitive
store, use orinformation in the system
transmit personally or network
identifiable location.(PII)
information When removing
(e.g., data from
social security your systems
numbers or dateand networks,
of birth) yousensitive
or firm should keep in mind (e.g.,
information any books and records)
financial records obligations you might have with respect to
electronically?
this data.
Sectiondata
** Sharing data – You should consider how the PII or firm sensitive 2- Identify
is shared,and Assess
identify Risks:
people Minimize
or systems Use
that do (See more details
not require access tobelow in rows
the data, 21-29) limiting access to this data to those who need it.
and consider
** Business
*** Remediate – If you determine that there is no business purpose to store or share the PII or firms sensitive information, objective
you should can be by either removing the data
remediate from the location
***Remediation or not sharing it. When
Needed?
removing data from your systems and networks, you Location
should(e.g.
keepNetwork
in mind any books and records*Business objective
obligations you mightaccomplished without
have with respect datadata. If you are required to store and share the data, you should consider
to this
PII or of
Firm Risk Severity Level
the risk severity theSensitive Data
data being Drive,
compromised and Systems
consider Folder,
whether practice couldcan
a business(H/M/L) be met without
be changed being
to mitigate theoutput or shared
risk (e.g., with process involves using a customer’s social security number, change the
if a business
Email)
process to use another customer specific identifier rather than the social security number). data (Y/N)? other internal systems or
people (Y/N)? Remediation
2) Do you transmit PII or firm sensitive information to a third party, or otherwise allow access to your PII or firm sensitive information by a third party?
Section 3- Identify and Assess Risks: Third Party (See more details below in rows 21-35)
^ Have you assessed the ^^ Are there controls in

**PII or Firm Sensitive ****Is it necessary for the Third- Third-Party Organization to ^^^ Remediation Needed?
*Name of Third-Party Data transmitted to Third- ***Risk Severity Party Organization to access the ensure that they have place to isolate Third-
Organization Level Party Connections from
Party Organization (Y/N)? data transmitted (Y/N)? effective security practices your critical assets (Y/N)?
(Y/N)?
Remediation
Bank
Clearing Firm
Third-Party Risk Management: Do you transmit PII or firm sensitive information to a third party, or otherwise allow access to your PII or firm sensitive information by a third party? (e.g., your vendors, clearing firm, customers, etc.)?
* Name of Third-Party – Corporation or individual’s name.

** PII or Firm Sensitive Information Transmitted – Answer "yes" if the third party receives or has access to firm PII or firm sensitive information.
*** Risk Severity Level – For each third party organization, the firm should assign a risk level. Assign a risk severity classification to the data transmitted (e.g., low, medium or high). There is no one-size-fits-all way to assign risk severity, but a firm may
consider the severity of the impact to customers and the firm if the data being transmitted to the third party organization were compromised.
**** Is it necessary for the third-party organization to access the data transmitted – assess whether the third party requires the information it can access for a business purpose.
^ Third-Party Security – If the third party has access to PII or firm sensitive information, you should take steps to consider the security of the third-party’s systems. In the absence of an ability to make an assessment, you should attempt to obtain a
reliable assessment of the third-party’s security protections such as its most recent SSAE 16 report. The SSAE 16 report is an internal control report on the services provided by a service organization providing valuable information that can be used to
assess and address the risks associated with an outsourced services.
^^ Isolate – You should consider if the third party access to information is limited to information it requires for business reasons and the third party should be prohibited from accessing other information.
^^^ Remediate – You should consider the risk severity level and your resources and make a risk assessment of whether any remediation is necessary which could include denying access to the third party, conducting a security review of the third party, or
isolating the third party’s access to information it needs for a business purpose.
^ Have you assessed the

^^ Are there controls in ^^^ Remediation Needed?
*Name of Third-Party **PII or Firm Sensitive ***Risk Severity ****Is it necessary for the Third- Third-Party Organization to place to isolate Third-
Data transmitted to Third- Party Organization to access the ensure that they have
Organization Party Organization (Y/N)? Level data transmitted (Y/N)? effective security practices Party Connections from
your critical assets (Y/N)?
(Y/N)?
Remediation
Select a row in orange and right-click on the row number; choose "Insert." If you insert row(s) on Section 1, remember to also insert row(s) for Sections 2, 4, 6, and Summary. Once you have inserted the row(s) in Sections 2, 4, 6, and Summary, you will
need to copy the formula from that Section into the newly created row(s). Do this by right-clicking on an existing row and choosing copy, then selecting the new row(s) and right-clicking and choosing paste. If you have any questions feel free to email us
at cybertech@finra.org

(Y/N)?
Remediation
Manage Vendors and Customer Access Checklist

Remediation Needed?
Activity Yes/No Yes/No Remediation Steps Remediation Status
Pre-contract due diligence on

vendors
Ongoing due diligence of existing

vendors
Assure vendor only has access to

parts of system it needs
Ex-vendors/customers' access
terminated immediately
Customer's access is limited to

customer's data
Does Contract Address (Y/N):
Non-disclosure agreements and

confidentiality agreements
Data storage, retention, delivery,

and encryption
Breach notifications
Right-to-audit clauses
Vendor employee access

limitations
Use of subcontractors
Vendor obligation upon contract

termination

(Y/N)?
Remediation
Security processes initiated by

the vendor (e.g., acquire copy of
SSAE 16 Report-Reporting on
Controls at a Service
Organization)
Section 4- Protect: Information Assets (See more details below in rows 21-27)
^^ Remediation Needed?
* Password Protection ** Malware/Anti- ^ List other protections
Location (e.g., Network Risk Severity Installed and Password
PII or Firm Sensitive Data Drive, Systems Folder, Email) Level (H/M/L) Reset From Default Virus Protection (e.g., firewalls used to
Installed (Y/N)? protect assets)
(Y/N)? Remediation
Information Network Drive High
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
* Password Protection – Are the systems where you store, use, or transmit PII or firm sensitive data password protected? If so, have you reset from the default password?
** Malware/Anti-Virus Protection – Do you install and regularly update malware or anti-virus software?
^ Other Protections – Do you use other protections like firewalls to protect information?
^^ Remediate – You should conduct a risk assessment of the strength of the protections considered with the assigned risk severity level, together with your resources and consider whether protections should be enhanced (e.g., include stronger
password requirements, installing malware or anti-virus protections or other system protections).

Select a row in orange and right-click on the row number; choose "Insert." If you insert row(s) on Section 1, remember to also insert row(s) for Sections 2, 4, 6, and Summary. Once you have inserted the row(s) in Sections 2, 4, 6, and Summary,
you will need to copy the formula from that Section into the newly created row(s). Do this by right-clicking on an existing row and choosing copy, then selecting the new row(s) and right-clicking and choosing paste. If you have any questions
feel free to email us at cybertech@finra.org
Section 4- Protect: Information Assets (See more details below in rows 21-27)
* Password Protection ** Malware/Anti- ^ List other protections
Location (e.g., Network Risk Severity Installed and Password
PII or Firm Sensitive Data Drive, Systems Folder, Email) Level (H/M/L) Reset From Default Virus Protection (e.g., firewalls used to
Installed (Y/N)? protect assets)
(Y/N)? Remediation
Do you have a process in place defining and implementing a password policy, educating users and regularly updating malware and anti-
virus software?
Remediation Needed?
Remediation
Policy Yes/No Yes/No Remediation Steps Status
Password Strength Policy
Frequency of Password Change Policy
Multi-Factor Authentication
Training Employees on Password Hygiene
Anti-Virus Regularly Updated Policy
Malware Regularly Updated Policy

4) Do you have assets that if lost or made inoperable would impact your firm's operations (e.g., trading or order managements systems)?
Section 5- Protect: System Assets (See more details below in rows 21-31)
Are your backup data
*** Password Protection recently tested? Are your backups ^^^ Remediation Neede
^ Malware/Anti-Virus ^^ Regularly
** Risk to Firm if System Installed and Password include the date last separated from
* System is Inoperable (H/M/L) Reset From Default Protection Installed Scheduled Backups tested or plan to test production
(Y/N)? (Y/N)?
(Y/N)? under Remediation environment? (Y/N)
Steps Yes/No
List system assets that are important to your operations (e.g., trading or order management systems or systems maintaining customer account information):
* Systems – List systems where assets reside.

** Risk to Firm if System is Inoperable – Assess risk of how important a loss of the asset would be to your firm’s operations.
*** Password Protection – Is access to the asset password protected? If so, have you reset from the default password?
^ Malware/Anti-Virus Protection – Do you install and regularly update malware or anti-virus software? Or have firewalls?
^ Regularly Scheduled Backups– Do you have regularly scheduled backups to restore critical data or systems should they be lost in a cyber-incident?
^^^ Remediate – You should conduct a risk assessment of the strength of the protections considered with the assigned risk of the system being inaccessible, together with its resources and consider whether protections should be enhanc
password requirements, installing malware, anti-virus protections or firewalls, or regularly schedule backups). See Recovery section in this checklist for other considerations.
g., trading or order managements systems)?
ction 5- Protect: System Assets (See more details below in rows 21-31)
^^^ Remediation Needed?
Remediation
Remediation Steps Status
ems or systems maintaining customer account information):
be to your firm’s operations.

m the default password?
ftware? Or have firewalls?
a or systems should they be lost in a cyber-incident?
ered with the assigned risk of the system being inaccessible, together with its resources and consider whether protections should be enhanced (e.g., include stronger
dule backups). See Recovery section in this checklist for other considerations.
Section 6- Protect: Encryption (See more details below in rows 21-30)

** Is data encrypted *** Is data
* Is Data
Risk Severity Level encrypted in when shared encrypted when ^ Is data
PII or Firm Sensitive Data Location internally and at rest archived to masked when
(H/M/L) transit to external
within the system backup media displayed (Y/N)?
sources (Y/N)?
(Y/N)? (Y/N)? Remediation

Information Network Drive High
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
0 0 0
Encryption is the process of encoding messages or information in such a way that only authorized parties can read it.
Have you taken steps to encrypt the data?
* Encrypted in transit to external sources – Data can be a shared in many ways including an email to someone external to the firm, over the internet, and between client and a server, between two servers, between two networks etc. If the
firm prohibits PII from being transmitted to external sources, the firm should note this in the remediation steps.
** Internal use – Data is stored in many places within an organization, including on file servers, on workstations and on portable media such as thumb drives. Data is also shared internally via email between two employees, for example.
*** Encrypted at backup – Data is often stored in a non-network or non-system media which can be lost or stolen.
^ Has it been masked when displayed – Data such as social security numbers can be masked whenever displayed to a person accessing that data.
^^ Remediate – After identifying where data is encrypted and where it is not, you should consider the risk severity level and its resources, and decide what remediation steps to take, if any, including encrypting all outgoing emails or all
emails, encrypting all PII and firm sensitive information at rest or in storage, or masking the data when it is displayed.
Section 6- Protect: Encryption (See more details below in rows 21-30)

Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. ^^ Remediation Needed?
Have you taken steps to encrypt the data?
* Encrypted in transit to external sources – Data can be a shared in many ways including an email to someone ** external
Is data encrypted ***the
to the firm, over Is internet,
data and between client and a server, between two servers, between two networks etc. If the
* Is Data
firm prohibits PII from being transmitted to external sources, the firm should
Risk noteLevel
Severity this in the in steps. when shared
remediation
encrypted encrypted when ^ Is data
PIIuse
** Internal or Firm Sensitive
– Data Data
is stored Location
in many places within an organization, including internally
and onand at restmediaarchived to maskedData
when
(H/M/L)on file servers, on external
transit to workstations portable such as thumb drives. is also shared internally via email between two employees, for example.
*** Encrypted at backup – Data is often stored in a non-network or non-system media which can be within the system
lost or stolen. backup media displayed (Y/N)?
sources (Y/N)?
(Y/N)?
^ Has it been masked when displayed – Data such as social security numbers can be masked whenever displayed to a person accessing that data. (Y/N)? Remediation
^^ Remediate – After identifying where data is encrypted and where it is not, you should consider the risk severity level and its resources, and decide what remediation steps to take, if any, including
Yes/No encrypting
Remediation all outgoing emailsStatus
Steps or all
emails, encrypting all PII and firm sensitive information at rest or in storage, or masking the data when it is displayed.
3) Do your employees (or independent contractors) maintain devices that access PII or firm sensitive information?
Section 7 - Protect: Employee Devices (See more details below in rows21-28)
^ Device Only authorized
Ability to wipe device
Name of Employee/Independent Device Type Device Owner (Firm or * Device has access to PII and ** Risk Severity Protected/E remotely if lost persons can List Protections
Contractor Individual) Firm Sensitive Data(Y/N)? Level (H/M/L) ncrypted download
(Y/N)? (Y/N)? software (Y/N)? Remediation
Are permissions restricted and devices protected?
* Access to PII and Firm Sensitive Data – Does the device have access to PII and firm sensitive data?
** Risk Severity Level – Assign a risk severity level to the PII or firm sensitive information the internal person can access considering the impact to customers and the firm if the information were compromised.
^ Protected/Encrypted – Are devices secured with passwords? Is data encrypted if lost?
^^ Remediate – You should take into account the access to PII and firm sensitive information and the risk severity of compromise, and conduct a risk assessment of whether to deny access to all or part of the PII or firm sensitive information, protect the information better by encrypting
the data and having the ability to remove all data from a device if it is lost or stolen.
If your answer to the following question is YES, please complete this tab (Section 8):
1) Do you store, use or transmit personally identifiable information (PII) (e.g., social security numbers or date of birth) or firm sensitive information (e.g., financial records)
electronically?
Section 8 - Protect: Controls and Staff Training

Are the following controls implemented? If no, conduct a risk assessment on whether to remediate.
Remediation Needed?
Remediation
Controls Implemented (Y/N)? Risk Severity Level (H/M/L) Yes/No Remediation Steps Status
Ex-employees/contractors and
ex-vendors/customers access terminated
immediately?
Monitor employees' and vendors' systems
access?
Account credentials (login and password) are

used only by the person for whom it is
created. For example, sharing of account
credentials to access FINRA systems is strictly
prohibited.
Staff Training
Do you define cybersecurity training needs?
Do you conduct training in regular intervals

(e.g., quarterly or annually)?
Do you develop interactive training?
Does training take into account firm specific

risks, systems and loss incidents history?
Section 9 - Detect: Penetration Testing
Remediation Needed?
Penetration testing in place
Tested? Date tested Problems/Vulnerabilities Identified Risk Severity Level (H/M/L) Remediation
for:
External (internet)
Internal (intranet, employee

or ex-employee)
Application Specific
Consider conducting a Third-Party Penetration Test of your infrastructure or using existing staff to conduct a penetration test. Determine the scope of the systems you want tested taking into account risks and your resources. For
example, will penetration testing be limited to identifying vulnerabilities or will the penetration test attempt to obtain sensitive information from the firm? Will the test include outside threats, mainly the internet or will it also include
internal (employee/vendor) tests? Should the test be done as a surprise without letting employees or users of your system know, or should you inform them? After conducting the test, firms should identify vulnerabilities and conduct a
risk assessment of whether to remediate.
Section 10 - Detect: Intrusion

Has the firm Does the IDS/IPS have Remediation Needed?
intrusion
System implemented an IDS/IPS Risk Severity Level (H/M/L)
(Y/N)? protection/detection
capabilities (Y/N)? Yes/No Remediation Steps Remediation Status
Intrusion Detection System/ Intrusion

Prevention System (IDS/IPS)
You should consider having an Intrusion Detection System (IDS) and or Intrusion Prevention System (IPS) which detects or prevents attempt to compromise the confidentiality, integrity or availability of your systems. Intrusion
detection or prevention products are tools that can assist in protecting a company from intrusion by expanding the options available to manage the risk from threats and vulnerabilities. Intrusion detection and prevention capabilities can
help a company secure its information. The tool could be used to detect or prevent an intruder, identify and stop the intruder, support investigations to find out how the intruder got in, and stop exploitation by future intruders. If the
answer is No, you should conduct a risk assessment on whether to invest in an IDS/IPS.
A very simple, but effective method for the firm to detect vulnerabilities is to inform staff to report suspicion of intrusion to the person who manages the firm's technology assets. This could be in the form of a hotline or email. For
example, if a staff person receives a phishing email and notes it as such, they should contact someone at the firm who can take action to prevent an intrusion before a colleague clicks on the link.
Are the following controls implemented? If No, assess the risk of not having the controls and decide whether to remediate.
Remediation Needed?
IDS/IPS Controls Yes/No Yes/No Remediation Steps Remediation Status
Do you have receive threat information

from any outside sources (e.g., Financial
Services Information Sharing and Analysis
Center (FS-ISAC))?
Do you have processes in place to triage and

act on threat information received?
Do you utilize tools to regularly

scan/monitor your systems for
vulnerabilities, secure configuration, and
current patch levels?
Do you monitor the results of these scans

and address discrepancies in a timely
manner?
Have you defined metrics for tracking the

condition of your cybersecurity controls and
reporting that condition to your senior
executives in a manner they find
actionable?
Section 11 - Response Plan (See more details below in rows )
Response Plan in Risk Severity Level Remediation Needed?
Incident
Place (Y/N)? (H/M/L) Yes/No Remediation Steps Remediation Status
Create communications plan and review with executives. Conduct test on how
Example: Ransomware Attack No High Yes we would respond if we suffered a ransomware attack. In Process
Prepare incident responses to which you are most likely to be subject. The response should include a communication plan to notify your senior executives who need to know about the incident. Firm senior
executives should decide how to contain and mitigate the breach. You should run through different types of incidents you may suffer and plan how you would respond. Firms should prepare incident
responses for those types of incidents to which the firm is most likely to be subject, e.g., loss of customer PII, data corruption, denial of service (DoS) or distributed denial of service (DDoS) attack, network
intrusion, customer account intrusion or malware infection. Types of responses to consider include: full or partial shutdown of systems, disconnect system from the network, delete and reinstall malware, or
disabling a user from system access. You can add to or delete from the list as appropriate to your business.
FBI Contact List

Section 11 - Response Plan (See more details below in rows )
Response Plan in Risk Severity Level Remediation Needed?
Incident
Place (Y/N)? (H/M/L) Yes/No Remediation Steps Remediation Status
Secret Service Contact List

Select a row in orange and right-click on the row number; choose "Insert." Reminder: you will need to copy the formula from that Section into the newly created row(s). Do this by right-clicking on an existing
orange row and choosing copy, then selecting the new row(s) and right-clicking and choosing paste.
Identifying relevant stakeholders who you should consider notifying of a breach

Law Third-Party Information
Incident Type Customers Regulators Enforcement Industry Sharing Organizations
Example: Ransomware Attack
Metrics
Activity/Governance Yes/No
Do you maintain a list of cybersecurity
incidents? (i.e., phishing, stolen device,
etc.)
Have you created a dashboard to track

creative patch coverage, anti-virus
coverage, and the number of employees
who have taken training and other
proactive defensive measures?
Do you review customer complaints and
potential cyber-related activity?
Do you share metrics with your CEO and
COO?
Do you prioritize allocation of cybersecurity
resources?
Do you communicate with senior
executives on cybersecurity and
outstanding risks?
5) If your systems, PII or firm sensitive information were made inoperable or stolen, would you need to recover them to conduct business?
Section 12- Recovery
In recovery, administrators restore systems to normal operation, confirm that the systems are functioning normally, and remediate vulnerabilities to prevent similar incidents.
If the answer to one of the below questions is No, firms should conduct a risk assessment and decide whether to invest in the process to remediate.
Remediation Needed?
Risk Severity
Controls
Level (H/M/L) Remediation
Yes/No Yes/No Remediation Steps Status
Do you have regularly scheduled backups to restore
critical data or systems should they be lost in a cyber-
incident?
Is it possible for you to rebuild systems from scratch

should it be necessary?
Do you have a plan to replace compromised files with

clean versions?
Do you have a plan to install patches, change passwords

and tighten network should a cyber-incident take place?
Have you considered that once a resource is successfully

attacked, it is often attacked again, or other resources
within the organization are attacked in a similar manner
and that heightened system logging and network
monitoring should be implemented?
Cybersecurity Summary Report
Firm Name: 0
Person(s) Responsible for Cybersecurity Program: 0
Cybersecurity Summary Report: This report consolidates your responses from sections 1-12 and can be used to understand where your cybersecurity risks are, where you may need to dedicate
budget and resources to remediate, and where you can choose to accept the risk. This report may also be useful for executive and board level updates. The report includes 10 responses per section.
If you would like to add more rows, please contact us at memberrelations@FINRA.org. Note you can filter your report by clicking on the down arrow on the column you would like to sort, check the
boxes for the data you want to display, then click okay.
Cybersecurity Function Firm Asset Risk Need to Remediate? Remediation Status

1 Section 2 - Identify and Assess Risks: Minimize Use Group Level Example: Customer Account Information High 0 0
1 Section 2 - Identify and Assess Risks: Minimize Use Granular Example: Customer SS# High 0 0
1 Section 2 - Identify and Assess Risks: Minimize Use 0 0 0 0
2 Section 3 - Identify and Assess Risks: Third Party Bank 0 0 0
2 Section 3 - Identify and Assess Risks: Third Party Clearing Firm 0 0 0
2 Section 3 - Identify and Assess Risks: Third Party 0 0 0 0
3 Section 4 - Protect: Information Assets Group Level Example: Customer Account Information High 0 0
3 Section 4 - Protect: Information Assets Granular Example: Customer SS# High 0 0
3 Section 4 - Protect: Information Assets 0 0 0 0
Firm Name: 0

4 Section 5 - Protect: System Assets 0 0 0 0
5 Section 6 - Protect: Encryption Group Level Example: Customer Account Information High 0 0
5 Section 6 - Protect: Encryption Granular Example: Customer SS# High 0 0
5 Section 6 - Protect: Encryption 0 0 0 0
6 Section 7 - Protect : Employee Devices 0 0 0 0
Firm Name: 0

6 Section 7 - Protect : Employee Devices 0
Ex-employees/contractors and ex-vendors/customers access 0 0 0
7 Section 8 - Protect: Controls and Staff Training terminated immediately? 0 0 0
7 Section 8 - Protect: Controls and Staff Training Monitor employees' and vendors' systems access? 0 0 0
Account credentials (login and password) are used only by the person
7 Section 8 - Protect: Controls and Staff Training for whom it is created. 0 0 0
7 Section 8 - Protect: Controls and Staff Training Do you define cybersecurity training needs? 0 0 0
Do you conduct training in regular intervals (e.g., quarterly or
7 Section 8 - Protect: Controls and Staff Training annually)? 0 0 0
7 Section 8 - Protect: Controls and Staff Training Do you develop interactive training? 0 0 0
Does training take into account firm specific risks, systems and loss
7 Section 8 - Protect: Controls and Staff Training incidents history? 0 0 0
8 Section 9 - Detect: Penetration Testing External (internet) 0 0 0
8 Section 9 - Detect: Penetration Testing Internal (intranet, employee or ex-employee) 0 0 0
8 Section 9 - Detect: Penetration Testing Application Specific 0 0 0
9 Section 10 - Detect: Intrusion Intrusion Detection System/ Intrusion Prevention System (IDS/IPS) 0 0 0
10 Section 11 - Response Plan Example: Ransomware Attack High Yes In Process
10 Section 11 - Response Plan 0 0 0 0
Firm Name: 0

Do you have regularly scheduled backups to restore critical data or
11 Section 12 - Recovery systems should they be lost in a cyber-incident? 0 0 0
Is it possible for you to rebuild systems from scratch should it be
11 Section 12 - Recovery necessary? 0 0 0
11 Section 12 - Recovery Do you have a plan to replace compromised files with clean versions? 0 0 0
Do you have a plan to install patches, change passwords and tighten
11 Section 12 - Recovery network should a cyber-incident take place? 0 0 0
Have you considered that once a resource is successfully attacked, it is

often attacked again, or other resources within the organization are
attacked in a similar manner and that heightened system logging and
11 Section 12 - Recovery network monitoring should be implemented? 0 0 0

Smallfirm Cybersecurity Checklist

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Smallfirm Cybersecurity Checklist

Uploaded by

Copyright:

Available Formats

CYBERSECURITY

Checklist for a Small Firm's Cybersecurity Program

Last Updated: (FINRA's last update) Version 1.2 June 2020

Cybersecurity Checklist Version 1.2 June 2020 Release Notes:

Using this checklist is optional:

If you answer yes to question 2, you will fill out:

If you answer yes to question 4, you will fill out:

If you answer yes to question 5, you will fill out:

How to print all sections (Entire Workbook):

How to save my excel file:

Section 1 - Identify and Assess Risks-Inventory

Section 2 - Identify and Assess Risks-Minimize Use

Section 3 - Identify and Assess Risks-Third Party

Section 5 - Protect-System Assets

Section 7 - Protect-Employees Devices

Section 8 - Protect- Controls and Staff Training

Section 9 - Detect-Penetration Testing

Section 11 - Response Plan

Group Level Example: Customer Account Information Network Drive High

Granular Example: Customer SS# G Drive High

Directions on inserting new rows:

** Business objective can be ***Remediation Needed?

Group Level Example: Customer Account

Granular Example: Customer SS# G Drive High

^ Have you assessed the ^^ Are there controls in

* Name of Third-Party – Corporation or individual’s name.

^ Have you assessed the

^ Have you assessed the

Manage Vendors and Customer Access Checklist

Pre-contract due diligence on

Ongoing due diligence of existing

Assure vendor only has access to

Customer's access is limited to

Non-disclosure agreements and

Data storage, retention, delivery,

Vendor employee access

Vendor obligation upon contract

^ Have you assessed the

Security processes initiated by

Directions on inserting new rows:

Password Strength Policy

Frequency of Password Change Policy

Training Employees on Password Hygiene

Anti-Virus Regularly Updated Policy

Malware Regularly Updated Policy

* Systems – List systems where assets reside.

ems or systems maintaining customer account information):

be to your firm’s operations.

Section 6- Protect: Encryption (See more details below in rows 21-30)

Group Level Example: Customer Account

Granular Example: Customer SS# G Drive High

Section 6- Protect: Encryption (See more details below in rows 21-30)

Are permissions restricted and devices protected?

Section 8 - Protect: Controls and Staff Training

Account credentials (login and password) are

Do you conduct training in regular intervals

Do you develop interactive training?

Does training take into account firm specific

Internal (intranet, employee

Section 10 - Detect: Intrusion

Intrusion Detection System/ Intrusion

IDS/IPS Controls Yes/No Yes/No Remediation Steps Remediation Status

Do you have receive threat information

Business objective can be *Remediation Needed?