FINRA published guidance on cybersecurity expectations for member firms, covering incident response planning, third-party vendor oversight, customer notification standards, and emerging threats.
The guidance emphasizes the importance of incident response planning, recommending that firms test their plans at least annually through tabletop exercises that include senior management participation.
Third-party vendor oversight is highlighted as a critical area, with FINRA noting that firms remain responsible for the cybersecurity practices of their service providers and must conduct ongoing due diligence.
The guidance also addresses emerging threats including AI-enabled phishing attacks and social engineering schemes targeting financial services firms and their customers.