Given the recent SEC Ransomware Alert and everyone’s ongoing need to better understand and refine their firm’s cybersecurity practices, I thought I’d pass along FINRA’s Small Firm Cybersecurity Program Checklist created to assist small firms in establishing a cybersecurity program.

This checklist was derived primarily from the National Institute of Standards and Technology (NIST) Cybersecurity Framework, updated earlier this year, and FINRA’s Report on Cybersecurity Practices (2015).
According to FINRA, the checklist is designed to:

  • Identify and assess cybersecurity threats, protect assets from cyber intrusions;
  • Detect when their systems and assets have been compromised;
  • Plan for the response when a compromise occurs and
  • Implement a plan to recover lost, stolen or unavailable assets.

I don’t normally find FINRA tools to be of much use for investment advisers, but this is a rare and excellent exception. While the SEC appears to have tagged Chief Compliance Officers with yet another vast subject area to master, the real power of the checklist is that it guides you and your team on how to think together to understand your firm’s risks, develop a thoughtful plan, and implement.

Cybersecurity is like best execution: the CCO is not responsible for ensuring that the firm obtains best ex, but is responsible for developing reasonable practices.