FINRA Cybersecurity Controls and Risk Assessment

FINRA expects broker-dealers to perform ongoing cybersecurity risk assessments and implement supervisory cybersecurity controls that are proportionate to the firm’s specific risk profile under their supervisory system. Operationalize this by documenting a repeatable risk assessment method, mapping risks to controls (governance, access, third parties, incident response, training, and technical safeguards), and retaining evidence that supervision is working. (FINRA Rule 3110; FINRA Regulatory Notice 15-09)

Key takeaways:

• Your cybersecurity program must be supervised like any other compliance obligation, with documented controls and testing. (FINRA Rule 3110)
• “Proportionate to your risk profile” requires a defensible risk assessment and a control mapping you can explain in an exam. (FINRA Regulatory Notice 15-09)
• Evidence matters: exam readiness depends on artifacts that show decisions, execution, and follow-up. (FINRA Rule 3110)

“FINRA cybersecurity controls and risk assessment requirement” is not a single checklist item. It is a supervisory obligation: you need a system of supervisory controls that is reasonably designed to achieve compliance, and it must include cybersecurity controls calibrated to how your firm operates. (FINRA Rule 3110) FINRA’s cybersecurity guidance frames what “good” looks like in practice: governance and risk management, access controls and data loss prevention, third-party oversight, incident response planning, staff training, and technical controls such as encryption, network segmentation, and patch management. (FINRA Regulatory Notice 15-09)

For a CCO or GRC lead, the fastest path is to translate “proportionate” into a documented, repeatable risk assessment that drives specific control choices, then build supervision around it: approvals, testing, issue management, and escalation. This page is written to help you stand up the minimum defensible structure quickly, then deepen it over time without rewriting your program every exam cycle. It focuses on what FINRA exam teams typically need to see: a clear story of your risk profile, a coherent control set, and proof that you operate and supervise those controls. (FINRA Rule 3110; FINRA Regulatory Notice 15-09)

Regulatory text

Regulatory excerpt (paraphrased): Broker-dealers must establish and maintain a system of supervisory controls reasonably designed to achieve compliance with applicable securities laws, including cybersecurity controls proportionate to the firm’s risk profile. (FINRA Rule 3110; FINRA Regulatory Notice 15-09)

Plain-English interpretation (what FINRA is really asking you to prove)

You must be able to show three things:

1. You know your cyber risk profile. You can explain the systems you run, the data you hold, your threat exposure, and your dependency on third parties. (FINRA Regulatory Notice 15-09)
2. Your controls match that risk. Controls are not generic; they address your identified risks with clear ownership and coverage. (FINRA Regulatory Notice 15-09)
3. You supervise and test those controls. Policies alone are not enough; you maintain supervisory controls and verify they work through reviews, testing, and issue follow-up. (FINRA Rule 3110)

Who it applies to (entity and operational context)

This requirement applies to FINRA member broker-dealers and, operationally, to the teams that run or oversee:

• Supervision and compliance operations (WSPs, supervisory control testing, exception management). (FINRA Rule 3110)
• Information security / IT operations (identity, endpoint, network, patching, backups, logging). (FINRA Regulatory Notice 15-09)
• Business lines handling customer or trading-related workflows (new accounts, order routing, research, communications). (FINRA Regulatory Notice 15-09)
• Third parties that store, process, transmit, or administer firm data or systems (cloud services, managed service providers, SaaS platforms, consultants). (FINRA Regulatory Notice 15-09)

If your firm clears, carries customer accounts, supports remote work, uses cloud-based CRMs, allows BYOD, or has an introducing/clearing relationship with data sharing, your risk profile and control expectations shift accordingly. You do not need to have the same controls as a large firm, but you must explain why your choices are reasonable for your footprint. (FINRA Regulatory Notice 15-09)

What you actually need to do (step-by-step)

Step 1: Define your cyber risk assessment method and scope

Create a short “Risk Assessment Standard” that states:

• Scope: systems, applications, endpoints, networks, and third parties in scope; what data types are in scope (customer PII, trading data, credentials). (FINRA Regulatory Notice 15-09)
• Assessment approach: how you identify assets, threats, vulnerabilities, and business impact; how you rate risks; who approves results.
• Cadence triggers: assess on material changes (new systems, acquisitions, major vendor changes), and on a recurring basis that you can defend. (FINRA Regulatory Notice 15-09)

Deliverable: a risk assessment template and a “current state” assessment for your environment. (FINRA Regulatory Notice 15-09)

Step 2: Document your “risk profile” in business terms

Your risk profile should fit on a few pages and cover:

• Business model: retail vs institutional, clearing/introducing, remote workforce, branch footprint.
• Data map: what sensitive data you hold and where it flows (email, file shares, cloud apps).
• Crown jewels: systems whose compromise would cause customer harm or regulatory impact (identity platform, trading, email, customer communications).
• Third-party dependency: critical third parties and what they can access or host. (FINRA Regulatory Notice 15-09)

This becomes the narrative you use in exams to justify why controls are proportionate. (FINRA Regulatory Notice 15-09)

Step 3: Map risks to a control set FINRA expects to see

Build a control matrix that maps top risks → control objectives → specific controls → evidence across these FINRA-aligned areas: (FINRA Regulatory Notice 15-09)

1. Governance & risk management

• Assign control owners and escalation paths.
• Tie cybersecurity governance into supervisory controls (committee minutes, issue reporting). (FINRA Rule 3110)

2. Access controls & data loss prevention

• Role-based access, joiner/mover/leaver workflow.
• Strong authentication for high-risk access paths.
• Controls to reduce data exfiltration channels appropriate to your workflows (email, web uploads, removable media). (FINRA Regulatory Notice 15-09)

3. Third-party risk management

• Inventory third parties that touch sensitive data.
• Due diligence proportional to risk (security questionnaires, SOC reports if available, contract clauses, access limitations). (FINRA Regulatory Notice 15-09)

4. Incident response

• Written incident response plan with defined decision rights (who declares, who communicates, who preserves evidence).
• Tabletop testing and lessons learned tracked to remediation. (FINRA Regulatory Notice 15-09)

5. Training & awareness

• Training tailored to job roles (trading, operations, finance, IT admin) and targeted reinforcement for common threats (phishing, credential theft). (FINRA Regulatory Notice 15-09)

6. Technical controls

• Encryption where appropriate, network segmentation where it changes outcomes, patch management, endpoint controls, backups, and centralized logging/monitoring matched to your environment. (FINRA Regulatory Notice 15-09)

Step 4: Embed cybersecurity into your supervisory control framework

FINRA’s anchor is supervision. Make cybersecurity “exam-able” by integrating it into:

• Written supervisory procedures (WSPs): who reviews access exceptions, who approves privileged access, who reviews incident tickets, who oversees third-party access. (FINRA Rule 3110)
• Supervisory control testing: test a sample of access changes, third-party onboarding decisions, patch exceptions, incident closure quality. Document findings and remediation. (FINRA Rule 3110)
• Issue management: a tracked backlog with owners, dates, and management sign-off for risk acceptance.

Step 5: Validate controls with lightweight, repeatable testing

Pick tests that prove operation, not just design:

• Access recertification evidence for key systems.
• Patch/exception reviews for critical assets.
• Phishing simulation or equivalent control validation where relevant.
• Incident response tabletop after meaningful system changes. (FINRA Regulatory Notice 15-09)

Step 6: Prepare the “exam packet” you can hand over fast

Build a single folder (or GRC workspace) that contains:

• Risk assessment method, last assessment, and approvals.
• Risk profile summary and top risks.
• Control matrix with evidence links.
• Third-party inventory and due diligence samples.
• Incident response plan and test results.
• Training completion records and materials.
• Supervisory testing results and remediation tracking. (FINRA Rule 3110; FINRA Regulatory Notice 15-09)

If you use Daydream, treat it as the system of record for third-party inventory, security reviews, evidence collection, and renewal tracking, so your control matrix links to live artifacts instead of stale files.

Required evidence and artifacts to retain

Keep artifacts that show decision, execution, and supervision:

• Cyber risk assessment report: scope, methodology, ratings, and prioritized remediation plan with approvals. (FINRA Regulatory Notice 15-09)
• Cyber risk profile memo: business model, data flows, crown jewels, third-party dependency. (FINRA Regulatory Notice 15-09)
• Cybersecurity governance records: committee charters (if applicable), meeting minutes, escalation logs. (FINRA Rule 3110)
• Access control evidence: provisioning tickets, privileged access approvals, access reviews, termination checklists. (FINRA Regulatory Notice 15-09)
• Third-party due diligence: inventory, risk tiering, questionnaires/attestations, SOC reports if received, contract security terms, access limitations, offboarding records. (FINRA Regulatory Notice 15-09)
• Incident response: plan, contact lists, tabletop materials, post-incident reviews, remediation tickets. (FINRA Regulatory Notice 15-09)
• Training: curriculum, role-based modules, completion logs, exception handling. (FINRA Regulatory Notice 15-09)
• Supervisory control testing: test plans, samples, results, corrective actions, retests. (FINRA Rule 3110)

Common exam/audit questions and hangups

Expect questions that probe “proportionate” and “supervised”:

• “Show your last cybersecurity risk assessment and the remediation plan it produced.” (FINRA Regulatory Notice 15-09)
• “How did you determine which systems are critical, and what controls protect them?” (FINRA Regulatory Notice 15-09)
• “How do you oversee third parties with access to customer data or admin access to systems?” (FINRA Regulatory Notice 15-09)
• “Where are your WSPs that describe cybersecurity supervision and exception handling?” (FINRA Rule 3110)
• “Show evidence that controls operate: access reviews, patch exception approvals, IR tabletop results.” (FINRA Rule 3110; FINRA Regulatory Notice 15-09)
• “How do you ensure staff training is completed and effective for the threats you see?” (FINRA Regulatory Notice 15-09)

Hangup to anticipate: teams produce a technically strong security program but cannot show supervisory testing, approvals, and exception governance. That becomes a Rule 3110 problem quickly. (FINRA Rule 3110)

Frequent implementation mistakes (and how to avoid them)

• Mistake: Risk assessment is a one-time report.
  Fix: treat it as a living process tied to change management and third-party onboarding. Keep version history and approvals. (FINRA Regulatory Notice 15-09)

• Mistake: “Proportionate” becomes an excuse for missing basics.
  Fix: document what you do have, what you deferred, and why. Record compensating controls and risk acceptance approvals.

• Mistake: Third-party oversight stops at procurement.
  Fix: maintain an inventory of third parties with data/system access, assign risk tiers, and track ongoing review triggers like product changes and security incidents. (FINRA Regulatory Notice 15-09)

• Mistake: Incident response plan exists but no one has practiced it.
  Fix: run tabletop exercises and track improvements to closure. Keep artifacts, not just calendar invites. (FINRA Regulatory Notice 15-09)

• Mistake: WSPs don’t cover cybersecurity exceptions.
  Fix: add procedures for approving privileged access, patch deferrals, logging gaps, and third-party access exceptions, with named approvers. (FINRA Rule 3110)

Enforcement context and risk implications

No public enforcement case sources were provided for this requirement in the supplied materials, so this page does not list case examples.

Practically, your risk is exam-driven: if you cannot connect your risk assessment to your control choices and show supervisory testing and follow-up, you create a defensibility gap under the supervisory control expectations in FINRA Rule 3110. (FINRA Rule 3110)

Practical 30/60/90-day execution plan

First 30 days: stabilize and make it explainable

• Assign owners for cybersecurity governance, risk assessment, third-party oversight, incident response, and supervisory testing. (FINRA Rule 3110)
• Produce a current risk profile memo and a draft risk assessment using a consistent template. (FINRA Regulatory Notice 15-09)
• Build the control matrix covering the FINRA guidance areas and link each control to at least one evidence artifact you already have. (FINRA Regulatory Notice 15-09)

Days 31–60: close the “supervision” gaps

• Update WSPs to include cybersecurity control supervision, approvals, and exception handling. (FINRA Rule 3110)
• Stand up supervisory control testing for a few high-signal areas (access changes, privileged access, critical patch exceptions, third-party onboarding). (FINRA Rule 3110)
• Establish third-party inventory and risk tiering; start due diligence on critical/high-risk third parties first. (FINRA Regulatory Notice 15-09)

Days 61–90: prove operation and create an exam packet

• Run an incident response tabletop and document outcomes and remediations. (FINRA Regulatory Notice 15-09)
• Implement a repeatable evidence collection cadence (training completion, access review outputs, remediation tracking). (FINRA Rule 3110)
• Assemble the exam packet folder with a clean index and direct links to evidence; confirm you can answer the common exam questions without rebuilding artifacts.

Frequently Asked Questions

How do I prove our cybersecurity controls are “proportionate to our risk profile”?

Write down the risk profile (systems, data, third parties, threat exposure) and map top risks to specific controls and evidence in a control matrix. Examiners respond well to a clear rationale tied to your assessment results and approvals. (FINRA Regulatory Notice 15-09)

Does FINRA require a specific cybersecurity framework like NIST CSF?

FINRA’s requirement is framed through supervisory controls and risk-based cybersecurity practices rather than mandating a single framework. You can align to a framework internally, but you still need to show risk assessment, controls, and supervision consistent with FINRA’s guidance topics. (FINRA Rule 3110; FINRA Regulatory Notice 15-09)

What’s the minimum evidence I should have ready for an exam request?

Keep your latest cyber risk assessment with approvals, a control matrix with evidence links, WSPs covering cyber supervision, incident response plan and test artifacts, third-party inventory with due diligence samples, and training records. These map directly to the expectation of supervised, risk-based controls. (FINRA Rule 3110; FINRA Regulatory Notice 15-09)

How should I scope third-party risk for this requirement?

Start with third parties that store, process, transmit, or administer your sensitive data or have privileged access to systems. Tier them by impact, then scale diligence depth and ongoing monitoring to the tier. (FINRA Regulatory Notice 15-09)

Our IT team patches and monitors systems. Why do I need supervisory control testing?

FINRA Rule 3110 focuses on supervision. You need documented testing or review that demonstrates controls operate as intended, exceptions are approved, and issues are tracked to closure. (FINRA Rule 3110)

Where does Daydream fit if I’m operationalizing this quickly?

Use Daydream to centralize third-party inventory, due diligence workflows, evidence retention, and renewal tracking, then link those artifacts into your FINRA control matrix. That reduces scramble risk during exams because your evidence stays current.