Since we are a FINRA Designated Third Party (D3P) currently doing data archiving for customers, I decided to help firms with cybersecurity too. So naturally I downloaded FINRA’s Cybersecurity Checklist for Small Firms in attempts to get some guidance, boy was I disappointed, and surely I’m not alone. I mean if you’re a small firm thinking FINRA is going to help with your cybersecurity plans these days, forget it.

FINRA’s Cybersecurity Checklist is old; I couldn’t actually find a date on the document, the closest thing I could get was a related download called Selected Cybersecurity Practices from 2018. Lots has changed since then, and a new approach is needed.

For example, in their original Cybersecurity Checklist there’s a laundry list of items where FINRA suggests firms configure encryption, monitor their firewalls, setup intrusion detection, be able to build systems from scratch if there’s a disaster, a plan to patch software and branch controls. But the fact is, almost all small FINRA firms have moved to the cloud or plan to (Microsoft 365 in particular). And cybersecurity on the cloud is a whole new ballgame: there’s no more in-house firewalls to monitor, encryption is built in, no need to patch software – Microsoft does that automatically. And disaster recovery is a moot point so is the idea of “branch offices” when a firm is fully moved to the cloud.

A New Cybersecurity Checklist

Although cybersecurity is simpler when a firm is on the cloud since they don’t have in-house systems to manage, there’s new kinds of threats. For example, on the Microsoft cloud you instantly become a bigger target because hackers can do a simple domain lookup and see you’re there, then they’ll pull out their bag of tricks, also everyone’s login username is their email address so a hacker only needs to glean users passwords, and it’s easy for the whole company to be compromised on the cloud if one person happens to download malicious code to the company SharePoint site – everyone is instantly infected.

Therefore, I created my own updated FINRA cybersecurity check list for small firms on the Microsoft Cloud.

One: Advanced Security Options Aren’t Enabled on Microsoft 365 by Default

The first thing to understand about Microsoft 365 is it’s not fully secured by default. For example, the advanced security options needed for the typical FINRA firm aren’t enabled out-of-the-box and to make the Microsoft Cloud secure the following needs to be checked off:

  • Prevent Phishing: to do this, enable, “Spoof Intelligence” since the default Anti-Phishing Policy is set to off

  • Stop Ransomware: Enable Safe Attachments, and Safe links to block these infected messages from entering the firms email system, ensure messages are still delivered without suspicious attachments or link so users can still receive the email and can alert IT of the attack

  • Block Malware: Enable “block common attachment filters on Exchange Online to prevent email with malware from being delivered to employees

Two: Enable Advanced Alerts and Monitoring on the Microsoft Tenant

Also, by default alerts and monitoring aren’t enabled on Microsoft 365, this needs to be checked off for cybersecurity as well:

  • For example, alerts must be sent to IT if an employee clicks a link with malicious code, or if suspicious activity occurs such as users being added, or forwarding rules created. Also, if infected emails are delivered to anyone.

  • The proper quarantine needs to be enabled so that IT can access infected messages to be aware, and employees won’t inadvertently release viruses

Three: Users’ Data Isn’t Backed up on Microsoft 365

Microsoft doesn’t backup users’ data stored on their cloud either. This means firms are still under threat from Ransomware if they can’t restore an infected data set and if anyone deletes files or emails, you can’t call Microsoft and ask them to restore it. So several important features are needed to backup and archive data:

  • A third party Cloud Backup Plug-in that’ll take company data off the Microsoft Cloud to a separate system that’s 17a-4 compliant

  • Automatically detect, backup and archive data on the cloud as users create it

  • Ability to protect full email boxes, data stored on OneDrive and SharePoint also backup and archive Teams chats

  • Granular protection of data with the ability to restore individual emails, files and Teams chats

  • Allow IT, compliance officers, and FINRA auditors access to the data archive

Four: Security Awareness Training

Sign your Company up for Security Awareness Training Service. Basically, A security awareness training service will continually test and educate a firm’s employees about phishing, (the number one way hackers get in). Now, I am not going to get into all the details about nasty phishing is, but here is what you need to check off for security awareness training today:

  • BASELINE TESTING. The first step in the FINRA cybersecurity Checklist is to perform a baseline testing to assess the Phish-prone percentage of your users through a simulated phishing attack. All results are logged and presented after the campaign

  • EDUCATION:  Then your users are trained on how-to spot Phishing attempts in emails. Using a large library of security awareness training content, including interactive modules, videos, games, posters and newsletters

  • ONGOING TESTING: Phishing campaigns are randomly sent out to users to keep them on their toes and to ensure they are paying attention to phishing attempts. See your user’s click rate drop as they start to question emails that just ‘don’t look right’, this is critical to maintaining cybersecurity for FINRA member firms
  • AUTOMATED TRAINING CAMPAIGNS: Employees are automatically trained on how to detect and respond to threats with scheduled reminder emails. Training takes 2-10 minutes to complete on average


FINRA’s cybersecurity Checklist is old, but the fact is, almost all small firms have moved to the cloud or plan to (Microsoft 365 in particular) – which is a whole new ballgame: no more in-house firewalls to monitor, encryption is built in, no need to patch software. Also, disaster recovery is a moot point so is the idea of having branch offices. Therefore, I created my own updated cybersecurity check list to help FINRA firms tackle security on the Microsoft Cloud.

About AdvisorVault

AdvisorVault is the only FINRA D3P with a Consolidated 17a-4 Service, designed to give small firms everything needed to meet today’s data compliance demands. Our turn-key approach performs the archiving, retention, and supervision of electronic records no matter where they are stored – in-house or in the cloud. Including the FINRA third party letters with all the required documentation. For one flat monthly fee it’s the only fully 17a-4 compliant option – Complete data compliance peace of mind, out-of-the-box.

Allan Lonz, President
direct: 416-985-0310
Toll free: 1-866-732-1407 ex 1