Here are resources for the financial industry to address critical cyber threats and improve the industry’s overall cybersecurity. Many resources leverage industry best practices and the volunteer efforts of SIFMA member firms to help all firms to increase their cybersecurity.
Learn more about SIFMA’s efforts around cybersecurity, including the Principles for Effective Cybersecurity Regulatory Guidance, here.
Best Practices for Insider Threats
SIFMA, leveraging the most effective guidance from both the private and public sector, has created a comprehensive set of best practices guide to inform firms of insider threats they face and provide a framework to create an effective insider threat mitigation program.
- Best Practices for Insider Threats
- SIFMA Presentation – Cybersecurity: Insider Threats Best Practices
Cyber and Operational Resilience Table Top Exercises
Exercises designed for a firm to apply their cyber incident response plan to a set of detailed incidents scenarios that allow a cross functional team of key decision makers to navigate the impacts in an interactive setting while trying to maintain their firm’s operations.
Cyber Insurance Program
SIFMA is pleased to offer our members a best-in-class cyber and privacy insurance policy, provided through DeWitt Stern underwritten by ACE Group.
Data Protection Principles
Financial companies need to collect and share sensitive information to run their everyday business. Members of SIFMA’s Data Protection Working Group have developed a set of principles for the protection of sensitive data that align to the NIST Cybersecurity Framework.
Financial Services Sector Cybersecurity Profile
The Financial Services Sector Coordinating Council (FSSCC) for Critical Infrastructure Protection and Homeland Security established a Financial Services Sector Cybersecurity Profile. The Profile is a scalable and extensible assessment that financial institutions of all types can use for internal and external cyber risk management assessment and as a mechanism to evidence compliance with various regulatory frameworks both within the United States and globally.
GFMA Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry
This Framework is designed to create an agreed upon approach for regulators and financial services firms to conduct effective testing to satisfy both supervisory and firm originated requirements. In this second version, published December 2020, these principles are updated based on the evolution of industry best practices and guidance from frameworks around the world.
- GFMA Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry
- Key Principles for a Commonly Accepted Penetration Testing Framework
- See all GFMA Pen-Testing Resources
Global Financial Markets Association (GFMA) Correspondence
The Global Financial Markets Association (GFMA), SIFMA’s global affiliate, serves as a forum to address international cyber risk. Correspondence includes consultations with the Bank of England, Financial Conduct Authority, Bank of International Settlements, Financial Stability Board and more.
Guidance for Small Firms
This program is intended to provide small firms with actionable cybersecurity guidance that is risk-based, threat-informed and supportive of their overall business model.
International Cybersecurity, Data and Technology Principles
GFMA (SIFMA’s global affiliate), the European Banking Federation (EBF), and International Swaps and Derivatives Association (ISDA) published a paper that offers the groups’ thoughts on foundational principles for the formation of effective policy on cybersecurity, data and technology.
Quantum Dawn Exercises
SIFMA has organized the Quantum Dawn exercise series to enable both individual firms and the sector as a whole to test their response plans in the event of a systemic attack.
Sheltered Harbor is an initiative by the U.S. financial services sector to enhance customer data protection and ensure swift restoration of customer accounts in the event of a major cyber-attack.
Third Party Risk Management
The use of service providers to perform key operational functions presents various challenges and risks to financial institutions if not managed properly. This resource provides tools and guidance firms can leverage to improve their 3rd party risk management programs.
- National Institute of Standards and Technology (NIST)
- U.S. Department of Defense: United States Cyber Command
- U.S. Department of Homeland Security: Cyber Security Activities
- U.S. Department of the Treasury Office of Critical Infrastructure Protection and Compliance Policy (OCIP)
- Secret Service
- Reflections on the Tenth Anniversary of The 9/11 Commission Report (July 2014)
- Beyond Data Breaches: Global Interconnections of Cyber Risk (April 2014)
- New York State Department of Financial Services – Report of Cybersecurity in the Banking Sector (May 2014)
- Symantec Annual Threat Report (2019)
- Cisco Annual Security Report
- Verizon Data Breach Investigations Report