Targeted Examination Letter on Cybersecurity

January 2014

FINRA is conducting an assessment of firms' approaches to managing cyber-security threats. FINRA is conducting this assessment in light of the critical role information technology (IT) plays in the securities industry, the increasing threat to firms' IT systems from a variety of sources, and the potential harm to investors, firms, and the financial system as a whole that these threats pose.

FINRA has four broad goals in performing this assessment:

to understand better the types of threats that firms face;
to increase our understanding of firms' risk appetite, exposure and major areas of vulnerabilities in their IT systems;
to understand better firms' approaches to managing these threats, including through risk assessment processes, IT protocols, application management practices and supervision; and
as appropriate, to share observations and findings with firms.

Note: The assessment addresses a number of areas related to cybersecurity, including firms':

approaches to information technology risk assessment;
business continuity plans in case of a cyber-attack;
organizational structures and reporting lines;
processes for sharing and obtaining information about cybersecurity threats;
understanding of concerns and threats faced by the industry;
assessment of the impact of cyber-attacks on the firm over the past twelve months;
approaches to handling distributed denial of service attacks;
training programs;
insurance coverage for cybersecurity-related events; and
contractual arrangements with third-party service providers.