How to Use the FINRA Cybersecurity Checklist for Small Firms

Get an IT security tech’s take on cybersecurity compliance, using the FINRA cybersecurity checklist for small- to mid-sized businesses. 

FINRA’s “Checklist for a Small Firm’s Cybersecurity Program” is an excellent cybersecurity tool for small to medium-sized (SMB) financial advisor firms. Use these tips to complete it to keep your clients’ sensitive data (and your business) much safer.

Before we begin, be sure to download the FINRA Cybersecurity Checklist.

Pro Tip: Look at this with IT staff or an outsourced IT service vendor with cybersecurity experience. Delegate the information gathering and input as you see fit, but stay involved throughout the process.

3 Tips for Navigating the Checklist

1. Don’t Skip the “Overview” and “Resources” Tabs

The Overview tab explains the document’s purpose and methods. It asks five questions that will determine which of the 12 sections you should complete.

Pro Tip: Most financial services SMBs should complete all 12.

The Resources tab includes helpful background links for each of the 12 sections. The links (to sources like NIST, FINRA and AICPA) give you background information on why the checklist asks for the information that it does.

2. Read the Footnotes

When you see asterisks throughout this spreadsheet, scroll down and check the footnotes — they’re usually quite helpful definitions, details, and instructions.

3. Scroll Down for Important Info

Some tabs have key sections hidden 30 to 40 rows down, so look for those. We’ll note some of them in the following hints for each section.

Tips for Completing the FINRA Cybersecurity Checklist’s 12 Sections

The following tips aren’t intended to be complete instructions for completing each of the checklist’s sections. Instead, many of these tips come from the questions we’re typically asked when helping clients complete this checklist.

Section 1: Identify and Assess Risks - Inventory

The first two columns ask what data your company has and where it is stored. 

A good way to get started with this is to look at the information you gather from a new client. What data do you collect and where does it go?

The third column asks you to assess the risk level. 

It can be helpful to assess the potential damage done to those whose private financial data has been compromised, in order to determine whether the risk is high, medium, or low.

Section 2: Identify and Assess Risks - Minimize Use

This builds on your Section 1 entries. For each data category you entered, decide whether your firm:

  1. Really needs it, and/or; 
  2. Really needs to share it.

You might be surprised how much data you collect that you don’t need. Shed that data and the unnecessary risk it represents.

Section 3: Identify and Assess Risks - Third Parties

When creating a list of third-party entities that have access to your data, do not limit it to just those with staff who can access it, such as your IT services provider, accountant or payroll service. You should also include providers of products and services you use to store and move data (e.g., Dropbox,, or Salesforce).

To ensure proper vendor management, refer to the checklist starting at row 62 for the necessary steps you should be taking.

Section 4: Protect - Information Assets

For each sensitive data category you listed in Section 1, enter how that “information asset” is protected. But when you do, ask yourself whether the protections actually work. 


  • Password protected? If so, have you reset the default password? 
  • Malware/antivirus/firewall installed? If so, have all updates/patches been installed?

Starting in Row 56 is a checklist of password best practices.

Section 5: Protect - System Assets

Unlike the usual definition of “asset” for financial services pros, in this context the asset is data. The “system” is what stores and/or processes the data, such as your CRM, HR, or project management software.

Section 6: Protect - Encryption

The footnotes are helpful for explaining encryption basics, but for non-experts, it’s best to seek help from IT staff or vendors.  

Most small companies (and big companies too) aren’t encrypting data when sending it through internal email. Microsoft and other email platform providers have some tools to protect that type of data. Again, get help with enacting these protections.

Section 7: Protect - Employee Devices

This section asks you to list all devices that have access to personally identifiable information (PII). This includes personal devices such as smartphones and tablets that employees use to check their work email.

You also need to enter how each device is protected. Protections should include encrypting your data and wiping sensitive data from devices belonging to terminated employees. Also, consider preventing employees from saving any business data to their mobile devices.

Section 8: Protect - Controls and Staff Training

The training section doesn’t mention specific types of cybersecurity training, but there’s one area you should consider: How to spot phishing attempts. Because phishing is the fastest way for an outsider to hack your system. Training should include regular fake phishing emails to see how well the training is working.

However, it is equally important to monitor the activities of all individuals who have administrative access, including those with email system admin rights. Hackers are eager to obtain accounts with admin rights to gain maximum access to your sensitive data.

Pro Tip: Remember to turn on two-factor authentication on any admin account.

Section 9: Detect - Penetration Testing

Penetration testing, also known as “white hat” hacking, is when the good guys emulate malicious hackers to find vulnerabilities in your IT infrastructure that you need to fix.

Section 10: Detect - Intrusion

This section is all about whether you have an intrusion detection system (IDS). The simple description of an IDS is a subscription service you add to your firewall.

Pro Tip: If you have an outsourced IT vendor doing your network monitoring, ask about the IDS, and whether it includes the “IDS Controls” that start on row 21.

Section 11: Response Plan

This is another section for which you should probably get expert help. But read through it because it has excellent information about what may be necessary to respond to when a data breach occurs.

The meat of this section isn’t until line 38, where you get a description of potential attacks you may need to respond to, and links to some good resources.

Beginning on line 79 is a checklist of important “governance” steps you should be taking – such as buying cyber liability insurance.

Section 12: Recovery

This section about recovery. What happens after a cyber incident is really a great guide for six controls you should have in place before a cyber incident.

Translation for the control described in line 13: Use continuous network monitoring that logs unusual network activity. So, when something bad happens, you can tell whether you’re vulnerable to getting hit in a similar way again.


Why It’s a Mistake to Ignore This Checklist

You’re probably no stranger to cybersecurity checklists. One reason some of my clients say they haven’t paid attention to them before is that they believe their parent company, broker-dealer, or some other entity further up the ladder handles all that cyber stuff. That’s almost never true.

And it could be a very costly mistake if a data breach results in a lawsuit, and you can’t show that you had a good cybersecurity plan in place when the breach occurred.

This FINRA checklist takes more to complete than checking yes or no on a long list of cybersecurity controls. It takes considerable time and effort. But that’s a good thing.

If you work with your IT staff and/or vendors to complete this document, you’ll have the bones of a strong cybersecurity program.

Check out our resources for more IT and cybersecurity insights.

Latest Teal News

Subscribe to Our Newsletter

Join Teal Exclusive now to be notified of the latest news, tech tips, and more.

Recent Articles
Don’t Stop Here

More To Explore

Remote Work

Solving Common Remote Work Security Challenges

Organizations face increasing threats from phishing scams, the use of insecure passwords, and the complexity of managing personal devices. Tackling these issues head-on is essential