Looking to Invest in Cybersecurity Solutions? Find Out Which Ones Meet FINRA and SEC Guidelines for Financial Services Firms in St. Louis
Financial services firms asking this question are often in one of two situations: they’ve just received FINRA examination findings that flagged cybersecurity gaps, or their compliance consultant has told them their current IT setup doesn’t meet regulatory expectations and they need to understand what that actually means in practice.
This guide answers that question directly. It maps the specific cybersecurity requirements from FINRA and the SEC to the actual technology solutions that satisfy them — and explains what “good” looks like versus what most firms actually have when we walk in the door.
Nothing in this article constitutes legal, compliance, or regulatory advice. For guidance specific to your firm’s obligations, consult your compliance consultant or securities counsel.
The Regulatory Framework: What FINRA and the SEC Actually Require
FINRA doesn’t publish a single cybersecurity rule the way the SEC publishes Regulation S-P. Instead, the requirements live across several rules and guidance documents that collectively define what a compliant cybersecurity program looks like:
SEC Regulation S-P (Rule 30) requires firms to have written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. The SEC’s 2024 amendments to Regulation S-P added a specific requirement for a written incident response program designed to detect, respond to, and recover from unauthorized access to customer information, including procedures to notify affected individuals within 30 days of discovery. Larger entities were required to comply by December 3, 2025. Smaller entities must comply by June 3, 2026.
SEC Regulation S-ID requires firms that offer or maintain covered accounts to develop and implement a written program designed to detect, prevent, and mitigate identity theft.
FINRA Rule 4370 requires all broker-dealers to maintain written business continuity plans that address cybersecurity disruptions, including ransomware events and denial-of-service attacks.
FINRA Rule 3110 (Supervision) requires firms to establish supervisory systems for the activities of associated persons – which extends to electronic communications, cybersecurity controls, and the technology that captures and reviews those communications.
FINRA Rule 4511 (Books and Records) requires firms to preserve records in a format that meets SEC Rules 17a-3 and 17a-4, including audit logs, access records, and electronic communications archives.
FINRA Notice 22-29 is the most comprehensive cybersecurity guidance FINRA has published. While it isn’t a rule, examiners reference it routinely, and its practices have effectively become the minimum bar for what a reasonably designed cybersecurity program looks like. It covers identity and access management, endpoint protection, incident response, vendor management, branch controls, and customer authentication.
The 2026 FINRA Annual Regulatory Oversight Report identifies the areas FINRA evaluates during examinations: technology governance, risk assessment, technical controls, access management, incident response, vendor management, data loss prevention, system change management, branch controls, and staff training.
Together, these create a clear picture of what regulators expect – and what technology solutions need to deliver.
Requirement 1: Multi-Factor Authentication (MFA)
What the regulators say: The 2026 FINRA Annual Regulatory Oversight Report explicitly calls out MFA as a required control for login access to the firm’s systems, including email and operational systems accessed by associated persons, firm staff, contractors, and customers. FINRA’s examination findings consistently cite the absence of MFA – or inconsistent MFA coverage – as a deficiency. A single account without MFA is treated as a material gap regardless of how everything else looks.
What compliance actually requires: MFA on every system that accesses customer data or firm operations. That means email, the firm’s core applications, remote access, Microsoft 365, CRM systems, portfolio management platforms, and any third-party vendor portal with access to firm data. Coverage must be consistent – MFA enforced on some applications but not others is a finding, not a partial credit.
What good looks like: Conditional Access policies in Microsoft 365 that enforce MFA based on device compliance state, location, and risk signal. Privileged accounts – global admins, system administrators – should be separate accounts with their own MFA enforcement, not the firm principal’s regular login. Foreign login blocking (Conditional Access rules that challenge or block logins from unexpected geographies) is increasingly expected.
What we find in most firms: MFA is enabled on Microsoft 365 but not enforced on third-party platforms. Legacy authentication protocols that bypass MFA are still active. Admin accounts share credentials with standard user accounts. Conditional Access policies exist on paper but haven’t been configured.
Requirement 2: Endpoint Detection and Response (EDR/MDR)
What the regulators say: FINRA’s guidance specifically names Endpoint Detection and Response (EDR) tools as a core technical control. Traditional antivirus – signature-based detection that identifies known threats – is explicitly insufficient for a regulated financial services firm. The 2026 FINRA Annual Regulatory Oversight Report identifies ransomware, account takeovers, and cybercrime-as-a-service tools as the primary threat vectors facing member firms. These threats specifically evade signature-based detection.
What compliance actually requires: Behavioral endpoint protection that detects anomalous activity – lateral movement, privilege escalation, unusual file encryption, unauthorized data access – not just known malware signatures. For firms with compliance obligations, Managed Detection and Response (MDR) adds a human response capability that monitors alerts around the clock and can contain an active threat before it escalates.
What good looks like: An EDR solution deployed on every endpoint – workstations, laptops, and servers, with real-time behavioral monitoring and centralized alert management. MDR provides the human oversight layer that connects the technology to an actual incident response when a threat is detected. The solution should be tuned for the firm’s environment so that legitimate financial planning applications don’t generate false positives that degrade performance.
What we find in most firms: Traditional antivirus still running on most or all endpoints. EDR deployed on servers but not workstations, or on some endpoints but not all. Security software configured with default settings that aren’t tuned for a financial services environment, creating performance problems that cause staff to disable protections.
Requirement 3: Email Security
What the regulators say: Phishing is consistently identified as the primary entry point for cybersecurity incidents in financial services. FINRA’s 2026 guidance specifically calls out phishing campaigns targeting member firms, including fraudulent emails purporting to be from FINRA executives, as an active and ongoing threat. The Regulation S-P safeguards requirement includes protection of customer information from unauthorized access via email-based attacks.
What compliance actually requires: Email filtering that goes beyond spam detection. Impersonation protection tuned to the specific brands and individuals attackers use to target financial firms – custodian brands (Schwab, Fidelity, Pershing), regulatory bodies (FINRA, SEC), and internal executives are all commonly spoofed. Safe Links and Safe Attachments that inspect URLs and files at the time of click, not just at the time of delivery. DMARC, DKIM, and SPF fully configured to protect the firm’s own domain from being spoofed in outbound attacks. Outbound email monitoring to detect unauthorized transmission of sensitive customer data.
What good looks like: Microsoft Defender for Office 365 (Plan 1 or Plan 2) with Safe Links, Safe Attachments, and anti-phishing policies configured. Anti-phishing policies should include impersonation protection for executives and custodian brands. DMARC configured in enforcement mode (reject or quarantine), not just monitoring mode. Outbound DLP policies that scan for SSNs, account numbers, and other sensitive data before emails leave the firm.
What we find in most firms: Basic spam filtering with no impersonation protection. DMARC in monitoring mode with no enforcement. Safe Links and Safe Attachments licensed but not enabled. No outbound email scanning.
Requirement 4: Data Loss Prevention (DLP)
What the regulators say: FINRA’s examination findings specifically cite the absence of Data Loss Prevention controls as a deficiency – firms that aren’t monitoring network activity to identify unauthorized copying or deletion of customer data, or monitoring outbound emails to identify sensitive customer data in text or attachments. For firms subject to GLBA and Regulation S-P, DLP is both a security control and a compliance requirement.
What compliance actually requires: Policies that detect and prevent the unauthorized transmission of sensitive customer information — Social Security numbers, account numbers, financial records, client PII – via email, SharePoint sharing, OneDrive, or other channels. DLP policies should cover both internal mishandling (an advisor accidentally sharing a client document with broad permissions) and external exfiltration (an attacker using a compromised account to copy data out of the environment).
What good looks like: Microsoft Purview DLP policies configured for financial data – SSNs, account numbers, routing numbers, and other sensitive identifiers – applied to Exchange (email), SharePoint, OneDrive, and Teams. SharePoint external sharing locked down to specific approved domains only, not open to anyone with a link. Anonymous external links disabled. Expiration policies on any external sharing that is permitted.
What we find in most firms: No DLP policies configured. SharePoint external sharing set to “Anyone with the link” – a default that allows client documents to be shared broadly with no expiration and no visibility. Advisory firms are consistently surprised by how broadly their client data is accessible when we run a SharePoint permissions audit.
Requirement 5: Access Management and Privileged Access Controls
What the regulators say: FINRA’s guidance explicitly calls out inadequate access management as a recurring deficiency – specifically, firms not implementing a “policy of least privilege” to grant system and data access only when required, not limiting and tracking individuals with administrator access, and not implementing MFA for employees, vendors, and contractors. Privileged access controls are examined as part of both the supervision and cybersecurity frameworks.
What compliance actually requires: A documented user access matrix showing who has access to what systems and data, including admin and privileged accounts. A formal off-boarding process that terminates access immediately when an employee leaves, not at the end of the week, and not when IT gets around to it. Regular access reviews that verify current permissions align with current roles. Separate admin accounts for individuals with administrative privileges, distinct from their day-to-day user accounts.
What good looks like: Microsoft Entra ID (formerly Azure AD) with Privileged Identity Management (PIM) for just-in-time admin access – admins don’t hold standing privileges but request elevation for specific tasks. Automated off-boarding workflows that disable accounts, revoke licenses, and forward email on the last day of employment. Quarterly access reviews that are documented with sign-off. No shared credentials or shared admin accounts.
What we find in most firms: Departed employees with active accounts or mailbox access weeks or months after leaving. No formal off-boarding process – access termination handled ad hoc. Shared admin credentials used by multiple people. No separation between standard user accounts and privileged admin accounts.
Requirement 6: Patch Management
What the regulators say: FINRA’s cybersecurity guidance identifies unpatched systems as one of the two most common entry points for breaches — second only to phishing. The FINRA cybersecurity checklist specifically calls for timely application of security patches to critical firm resources: servers, network routers, desktops, laptops, mobile phones, and software systems. Patch management logs are evidence regulators expect to see during examinations.
What compliance actually requires: A defined patching cadence with documented timelines – critical patches applied within a defined window (typically 72 hours to 14 days depending on severity), with evidence that the schedule is followed. Any deferred patches should have documented risk acceptance rather than simply being left unaddressed. The patching process should cover operating systems, third-party applications, firmware, and network devices – not just Windows updates.
What good looks like: A centralized patch management platform that provides visibility across all endpoints, automates patch deployment on a defined schedule, and generates reports showing patch status and any outstanding vulnerabilities. Patch compliance reports should be reviewed regularly by someone with authority to escalate deferred patches.
What we find in most firms: Endpoints 6 to 18 months behind on patches. No centralized visibility into patch status – IT staff rely on manual checks or individual device reports. No documented patching cadence. No risk acceptance process for deferred patches.
Requirement 7: Backup, Recovery, and Business Continuity
What the regulators say: FINRA Rule 4370 requires written business continuity plans that address operational disruptions, including ransomware events. The amended Regulation S-P requires firms to have an incident response program that includes recovery from unauthorized access to customer information. FINRA and cyber insurance carriers are increasingly asking for evidence of tested backups — not just confirmation that backups are running.
What compliance actually requires: Encrypted, tested backups with documented recovery time objectives (RTOs) and recovery point objectives (RPOs). Backups must be isolated from the primary environment – a backup that lives on the same network segment as the systems it’s protecting can be encrypted by the same ransomware event. Restore tests must be documented with timestamps, what was restored, and who verified the result. Quarterly restore testing for critical systems is the minimum standard in a regulated environment.
What good looks like: Immutable, offsite backups that can’t be modified or deleted by ransomware. A written BCP that documents recovery procedures, assigns roles, and defines RTOs and RPOs. Quarterly restore testing with documented results. Annual tabletop exercises that walk leadership through a full recovery scenario, including regulatory notification requirements. Backup and recovery logs retained as compliance evidence. Our cloud services include offsite backup architecture designed specifically for regulated financial environments.
What we find in most firms: Backups running silently with no restore testing. Backup systems connected to the same network as production systems. No documented RTOs or RPOs. No business continuity plan beyond “call IT.” In 2025, only 44% of financial organizations were able to use backups to successfully restore data after a ransomware attack – down from 62% in 2024.
Requirement 8: Incident Response Planning
What the regulators say: The amended Regulation S-P requires a written incident response program that includes procedures to detect, respond to, and recover from unauthorized access to customer information — and to notify affected individuals within 30 days of discovery. Service providers must notify the covered institution within 72 hours of discovering a breach. FINRA Rule 4370 requires business continuity plans that address cyber incidents. FINRA examiners look for plans that have been tested, not just documented.
What compliance actually requires: A written incident response plan that covers the specific scenarios financial firms face: ransomware, business email compromise, data exfiltration, and vendor breach. The plan must define who has decision-making authority, when legal counsel gets called, how the cyber insurance carrier gets notified, and what the regulatory notification requirements are for the firm’s specific registration type. The plan must be tested – an annual tabletop exercise that walks leadership through a realistic scenario – and the testing must be documented.
What good looks like: A living IR plan connected to legal counsel, the cyber insurance carrier, and the firm’s compliance consultant – relationships established before an incident occurs. Pre-established contacts for every critical vendor and custodian. An out-of-band communication plan for use when primary systems are compromised. Annual tabletop exercise with documented results and identified gaps addressed.
What we find in most firms: A policy document that hasn’t been reviewed since it was written. No connection to legal counsel or the cyber insurance carrier prior to an incident. No vendor escalation contacts. No tabletop exercise. Principals who discover during an actual incident that their carrier requires an approved IR vendor – and learn this only after using a non-approved one.
Requirement 9: Vendor Management and Third-Party Risk
What the regulators say: FINRA’s 2026 Annual Regulatory Oversight Report designates third-party risk as a standalone examination area. Through Q3 2025, FINRA sent more than 6,000 notifications to member firms about cyber vulnerabilities affecting their vendors. FINRA expects firms to assess the risks associated with third-party vendors during onboarding and on an ongoing basis, and to have contingency plans for critical vendors.
What compliance actually requires: A documented vendor inventory that identifies every third-party with access to firm systems or customer data. Risk assessments for each vendor, reviewed annually. Contractual provisions that address the vendor’s security obligations and notification requirements under Regulation S-P. Procedures for vendor off-boarding that ensure access to firm systems and data is revoked when the relationship ends.
What good looks like: A vendor risk register with security assessments, contractual security provisions, and annual review dates. Vendor agreements for any party handling customer information updated to reflect Regulation S-P notification requirements. A process for monitoring FINRA and CISA advisories about vulnerabilities in vendors the firm uses.
What we find in most firms: No vendor inventory. No security assessments for vendors with access to client data. Vendor agreements that predate current regulatory requirements. Former vendors with lingering access to firm systems after the relationship has ended.
Requirement 10: Security Awareness Training
What the regulators say: FINRA’s guidance explicitly includes security awareness training as a required element of a cybersecurity program — and specifies that training should be tailored to different functions and roles, not just generic cross-firm training. Simulated phishing is specifically called out as an effective practice. Training records at the individual user level are evidence regulators expect to find.
What compliance actually requires: Regular training for all staff, not just registered persons, that covers phishing recognition, social engineering tactics, wire fraud procedures, and the firm’s specific security policies. Simulated phishing campaigns that test whether training is working. Records that document completion rates, test results, and dates at the individual level.
What good looks like: A security awareness training platform that delivers regular training, runs phishing simulations, tracks completion and results by individual, and generates reports that can be produced during an examination. Training content that includes financial services-specific scenarios: custodian impersonation, wire transfer fraud attempts, and account takeover tactics.
What we find in most firms: Annual cybersecurity training delivered as a generic video. No phishing simulations. No individual-level records. Registered persons trained; administrative and operations staff not.
The Cybersecurity and Compliance Documentation Gap: What Examiners Actually Ask Financial Services Firms in St. Louis
Having the right technology in place is necessary. Being able to demonstrate it during an examination is what compliance actually requires. FINRA examiners don’t just ask whether controls exist. They ask for evidence that controls are supervised, reviewed, and improving over time.
The documentation a financial firm should be able to produce includes:
- An asset inventory covering all endpoints and licensed software
- A user access matrix with admin accounts identified
- An off-boarding checklist with evidence it’s followed
- Patch management reports showing a consistent cadence
- Backup and restore logs with timestamps and verification sign-off
- Security awareness training records at the individual level
- An incident log showing every security event and how it was handled
- Vendor risk assessments with annual review dates
- A written incident response plan with tabletop exercise results; and
- A business continuity and disaster recovery plan with documented RTOs and RPOs.
Most firms we onboard have two or three of these documented and current. A firm that can produce all of them – current, organized, and tied to an annual review cycle – is in a fundamentally different position during an examination than one that can’t.
What This Looks Like as a Technology Stack for Your Financial Services Firm
For a financial services firm subject to FINRA and SEC oversight, your cybersecurity firm should provide and maintain a minimum viable cybersecurity stack that looks like this:
Identity and access: Microsoft Entra ID with Conditional Access, MFA enforced on all applications, Privileged Identity Management for admin accounts, automated off-boarding workflows.
Endpoint protection: Behavioral EDR deployed on all endpoints with MDR for human-monitored response capability.
Email security: Microsoft Defender for Office 365 with Safe Links, Safe Attachments, anti-phishing with impersonation protection, and DMARC in enforcement mode.
Data loss prevention: Microsoft Purview DLP policies for financial data across Exchange, SharePoint, OneDrive, and Teams. SharePoint external sharing restricted to approved domains only.
Backup and recovery: Immutable, offsite backups with documented RTOs and RPOs, quarterly restore testing, and documented results.
Patch management: Centralized patch management with a defined cadence and compliance reporting.
Security awareness: Training platform with phishing simulation and individual-level completion records.
Incident response: Written IR plan connected to legal counsel and cyber insurance carrier, tested annually via tabletop exercise.
Logging and monitoring: Unified Audit Log in Microsoft 365 enabled and retained to meet compliance obligations. Network and endpoint logging feeding a centralized SIEM or log aggregator.
How Alliance Tech Helps St. Louis Financial Firms Meet These Requirements
Alliance Tech has been serving financial services firms in the St. Louis metro for over 25 years from our headquarters in Chesterfield. We work with RIAs, broker-dealers, wealth managers, CPAs, and insurance firms across Clayton and the broader St. Louis region.
Our cybersecurity services are built around the specific requirements of regulated financial firms. Not generic small business security. As the only Sophos Gold Partner in the St. Louis region, we deploy enterprise-grade endpoint protection and MDR that most MSPs can’t offer. Our managed IT services include the patch management, access controls, and Microsoft 365 hardening that regulators look for during examinations. And our approach to SEC Regulation S-P, FINRA compliance, and cyber insurance readiness is built into every engagement – not offered as an add-on.
If you’re not certain whether your current cybersecurity stack meets FINRA and SEC requirements, or whether you could demonstrate compliance during an examination, that’s worth resolving before an examiner, insurer, or incident forces the issue.
Call (314) 649-8888 or schedule a free assessment to find out exactly where your firm stands.