Cybersecurity Advisory – Increasing Cybersecurity Risks at Third-Party Providers

Impact: All Firms

Introduction

The Cyber and Analytics Unit (CAU) within FINRA’s Member Supervision program highlights recent cybersecurity risks at third-party providers¹ (commonly referred to as third-party vendors) impacting member firms.

Since 2023, FINRA has observed an increase in cyberattacks and outages at third-party providers used by member firms. The financial industry’s reliance on third-party providers to support several key systems or covered functions² aggravates the risk to member firms. An attempted cyberattack or an outage at a third-party provider could potentially impact a large number of member firms. FINRA continues to monitor third-party provider risks in the interests of member firms.

Member firms are encouraged to report to their Risk Monitoring Analyst changes to third-party providers that support key systems or any cybersecurity events at third-party providers.

This advisory provides:

background on member firms’ practice of contracting with third-party providers;
an overview of the current regulatory landscape associated with third-party provider risks;
an overview of the threat landscape concerning third-party providers used by member firms; and
effective practices and resources to assist firms in mitigating risk in this area.

This advisory does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve member firms of any existing obligations under federal securities laws and regulations. Member firms may consider the information in this advisory in developing new, or modifying existing practices that are reasonably designed to achieve compliance with relevant regulatory obligations based on a member firm’s size and business model.

Background

The practice of contracting with third-party providers to perform certain activities and functions on a continual basis (i.e., outsourcing) is not new to the securities industry. In 2005, FINRA published Notice to Members 05-48 (Members’ Responsibilities When Outsourcing Activities to Third-Party Service Providers), which identified several common activities or functions that member firms frequently outsourced to third-party providers, including:

accounting and finance services, such as payroll and expense account reporting;
legal and compliance services, such as outside counsel, anti-money laundering monitoring and cyber insurance providers;
information technology (IT) and cybersecurity, such as software support, IT help desk support centers, cloud service providers, managed detection and response providers;
business operations functions, such as statement production and disaster recovery services; and
administrative functions, such as human resources, employee benefits services or internal audits.

Since that time, member firms have continued to expand the scope and depth of their use of technology. As noted in Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors), member firms increasingly leveraged third-party providers to perform risk management functions and assist in supervising sales and trading activity and customer communications.

Regulatory Landscape

Member firms have an obligation to establish and maintain a supervisory system, including written supervisory procedures, for any activities or functions performed by third-party providers that are reasonably designed to achieve compliance with applicable securities laws and regulations and with applicable FINRA rules.³

FINRA has observed several recurring themes during its examinations concerning third-party provider risk management, including:

not establishing adequate third-party provider risk management policies;
not conducting initial or ongoing due diligence on its third-party providers that support key systems;
not validating data protection controls in third-party provider contracts;
not involving third-party providers that support key systems in the testing of their Incident Response Plan;
not having procedures that address the return or destruction of firm data at the termination of a third-party provider contract; and
not addressing third-party providers’ use of vendors (i.e., fourth-party providers) that may handle firm data.

Additionally, government regulators continue to highlight the risks associated with third-party providers:

In 2023, the SEC proposed a new rule, form, and related amendments under the Securities Exchange Act of 1934 for member firms and other market participants that would require oversight of service providers that receive, maintain or process their information, or are otherwise permitted to access their information systems.
In 2023, the Cybersecurity and Infrastructure Agency (CISA) published Securing Small and Medium-Sized Business (SMB) Supply Chains: A Resource Handbook to Reduce Information and Communication Technology Risks, which provides guidance for SMBs that serve as third-party providers of IT and communications services.
In 2023, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency jointly issued Interagency Guidance on Third-Party Relationships: Risk Management, which provides guidance to help banking organizations manage risks associated with third-party provider relationships.
In 2024, the SEC adopted changes to Regulation S-P, which requires that firms’ incident response programs include the establishment, maintenance and enforcement of written policies and procedures reasonably designed to require oversight of service providers, including through due diligence and monitoring.

Threat Landscape

From 2023-2024, FINRA observed that third-party providers used by member firms experienced a large number of cybersecurity incidents, with a particularly large increase during the first half of 2024. A review of those incidents revealed that threat actors continued to target vulnerabilities in legitimate system management tools and technology products used by these third-party providers. Notable examples of these incidents included:

Data Breaches

In 2023, the LockBit ransomware group and its affiliates capitalized on known vulnerabilities, referred to as CitrixBleed, which impacted victims globally across sectors, including substantial impact to member firms. Threat actors leveraged high-risk vulnerabilities in Citrix network appliances, which are commonly used by member firms and third-party providers to gain access to firm infrastructure or firm data held at third-party providers. Once threat actors gained initial access, they exfiltrated firm data and installed ransomware on victim networks, and then threatened to publish or sell the stolen firm data unless a ransom was paid. Firms experienced disruptions in their core business functions and their outsourced services at third-party providers, resulting in leaked customer information.

In 2024, additional data breaches at multiple third-party providers in the technology sector had a widespread impact on member firms, including Microsoft, Snowflake and Dropbox. These types of data breaches present cybersecurity risk directly to member firms as well as rippling effects throughout member firms‘ cybersecurity ecosystems at third-party providers.

Zero-Day Vulnerabilities

Threat actors continue to take advantage of zero-day vulnerabilities exposed through third-party provider relationships, exploiting that access to harm companies before patching or fixes occur.⁴ At times, these vulnerabilities can result in follow-on phishing attacks, data breaches or full-blown extortion and ransomware events, such as the 2023 Progress Software MOVEit Zero-Day attack claimed by the CL0P ransomware group. The unpatched vulnerability resulted in data breaches that led to extortion and ransomware events at firms or third-party providers, the exposure of firm and customer data, and the threat of possible follow-on identity theft of individuals.

Weather-Related Outages

Extreme weather events (e.g., hurricanes, tornados) can cause outages at third-party providers, such as the absence of electricity or telecommunication services for extended periods of time. In 2024, these events caused outages at data centers used by member firms’ third-party providers, which disrupted broker-dealer covered functions (such as those involving trade confirmations). During these outages, third-party providers transferred service to a secondary location; however, for a short period of time, member firms’ customers did not get trade confirmations in a timely fashion.

Social Engineering Campaigns

While threat actors are not necessarily responsible for some outages, they seek to use the information about the event to their advantage, often with social engineering and third-party provider impersonation campaigns. At times, technology companies release updates that can cause unintended widespread outages across industries, such as the CrowdStrike Falcon Sensor software update in July 2024, which rendered Windows hosts inoperable until member firms enacted their business continuity and incident response plans, technical fixes and patches. During the response period, threat actors impersonated CrowdStrike in interactions with some victims, laying claim to correct the outage with a fix, but instead loaded malware onto victims’ computers to steal their credentials.

Effective Practices

Firms impacted by a third-party provider-related cybersecurity incident successfully responded to, recovered from or prevented further damage by taking the following actions in their cybersecurity programs:

conducting ongoing monitoring and risk assessments of third-party providers;
segmenting networks paired with identity checks and multi-factor authentication (MFA);
implementing MFA for employees using an authentication application and shortening time limits on users’ session tokens;
prioritizing patching efforts and implementing fixes to address high-risk vulnerabilities;
proactively creating a catalog of data types and assessing whether:
- personally identifiable information (PII) or firm-sensitive information was transmitted to a third-party provider; or
- a third-party provider was allowed access to this information;
performing ongoing monitoring for lookalike website domains and phishing emails;
quickly identifying anomalous behavior with credential misuse and incorporating this behavior into employee phishing tests to raise threat awareness;
refining incident response and business continuity plans in the event a third-party provider is taken offline or otherwise unable to operate, and identifying alternative communication channels to contact providers outside of the network⁵; and
regularly testing for failover situations and practicing recovery scenarios from offline backups or when data is re-routed to alternative locations.

Questions related to this advisory or other cybersecurity topics can be emailed to the CAU.

Additional Resources

FINRA

General guidance for member firms on cybersecurity issues can be found in the Cybersecurity and Technology Management section of the 2024 FINRA Annual Regulatory Oversight Report.

Advisories and resources appliable to third-party provider risk can be found on FINRA’s Cybersecurity key topics page, including:

Cybersecurity Alert: FINRA Notifies Member Firms of MOVEit Software Vulnerability (CVE-2024-5806) (June 27, 2024)
Cybersecurity Advisory – NIST Releases Version 2.0 of its Cybersecurity Framework (June 13, 2024)
Cybersecurity Advisory – SEC Amends Regulation S-P Enhancing Protection of Customer Information (Exchange Act Release No. 35193) (June 6, 2024)
Small Firm Cybersecurity Checklist ⁶ (February 21, 2024)
Cybersecurity Alert – LockBit (Threat Actor) (January 25, 2024)
Cybersecurity Advisory - FINRA Highlights Effective Practices for Responding to a Cyber Incident (November 30, 2023)
Fraud Spotlight Webinar: Cybersecurity Alert on MOVEit Ransomware – On Demand Recording (June 24, 2023)
Cybersecurity Alert: FINRA Notifies Member Firms of CISA Advisory (AA23-158A) (June 22, 2023)
Regulatory Notice 21-29 (FINRA Reminds Firms of their Supervisory Obligations Related to Outsourcing to Third-Party Vendors)
Notice to Members 05-48 (Members’ Responsibilities When Outsourcing Activities to Third-Party Service Providers)

National Institute of Standards and Technology (NIST)

CISA

FBI

1 This advisory incorporates the National Institute of Standards and Technology’s (NIST) definition of third-party providers: "service providers, integrators, vendors, telecommunications, and infrastructure support that are external to the organization.”

2 Key systems can involve areas such as trading systems; clearing, carrying, and/or settlement functions; cybersecurity; and technology services. However, the use of these systems may vary at individual broker-dealers, depending on their business model or reliance on the use of technology within their business operations. Key systems may also be used to support covered functions (as defined by FINRA Rule 1220 (b)(3)(A)(ii) (Customer Account Statements)).

3 See FINRA Rule 3110 (Supervision) and Regulation S-P.

4 See CrowdStrike's "What is a Zero-Day Exploit?" for an explanation of the terms "Zero-Day" and "Zero-Day Vulnerability."

5 See FINRA Rule 4370(c) (Business Continuity Plans and Emergency Contact Information) for a list of the minimum elements a business continuity plan must address.

6 Specific guidance related to third-party provider risk monitoring can be found in Section 3 – Identify and Assess Risks: Third Party or Supply Chain Vendor.

7 Specific guidance related to third-party provider risk can be found in the Cybersecurity Supply Chain Risk Management (GV.SC) Category.