These resources help financial services firms to address critical cyber threats and improve the industry’s overall cybersecurity. Many resources apply industry best practices as well as the volunteer efforts of SIFMA member firms.
Learn more about SIFMA’s efforts around cybersecurity, including the Principles for Effective Cybersecurity Regulatory Guidance.
Best Practices for Insider Threats
SIFMA, leveraging the most effective guidance from both the private and public sectors, provides a comprehensive set of best practices to inform firms of the insider threats they face and a framework to establish a prevention-focused insider threat mitigation program.
Data Protection Principles
Financial companies need to collect and share sensitive information to run their everyday business. Members of SIFMA’s Data Protection Working Group have developed a set of principles for the protection of sensitive data that align with the NIST Cybersecurity Framework.
Financial Services Cybersecurity Profile
The Financial Services Cybersecurity Profile provides a benchmark for cybersecurity and resiliency in the financial services industry. The Profile is available – at no cost to the industry – through the Cyber Risk Institute (CRI), a not-for-profit coalition of financial institutions and trade associations.
The Profile is based on NIST’s “Framework for Improving Critical Infrastructure Cybersecurity”; CPMI-IOSCO’s “Guidance on cyber resilience for financial market infrastructures”; ISO 27000 series controls for information security management systems; and financial sector supervisory guidance and regulatory frameworks.
GFMA Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry
This Framework is designed to create an agreed upon approach for regulators and financial services firms to conduct effective testing to satisfy both supervisory and firm originated requirements. In this second version, published December 2020, these principles are updated based on the evolution of industry best practices and guidance from frameworks around the world.
- GFMA Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry
- Key Principles for a Commonly Accepted Penetration Testing Framework
- See all GFMA Pen-Testing Resources
Global Financial Markets Association (GFMA) Correspondence
The Global Financial Markets Association (GFMA), SIFMA’s global affiliate, serves as a forum to address international cyber risk. Correspondence includes consultations with the Bank of England, Financial Conduct Authority, Bank of International Settlements, Financial Stability Board and more.
Guidance for Small Firms
This program is intended to provide small firms with actionable cybersecurity guidance that is risk-based, threat-informed and supportive of their overall business model.
International Cybersecurity, Data and Technology Principles
GFMA (SIFMA’s global affiliate), the European Banking Federation (EBF), and International Swaps and Derivatives Association (ISDA) published a paper that offers the groups’ thoughts on foundational principles for the formation of effective policy on cybersecurity, data and technology.
Quantum Dawn Exercises
SIFMA has organized the Quantum Dawn exercise series to enable both individual firms and the sector as a whole to test their response plans in the event of a systemic attack.
Sheltered Harbor is an initiative by the U.S. financial services sector to enhance customer data protection and ensure swift restoration of customer accounts in the event of a major cyber-attack.
- National Institute of Standards and Technology (NIST)
- U.S. Department of Defense: United States Cyber Command
- U.S. Department of Homeland Security: Cybersecurity Activities
- U.S. Department of the Treasury Office of Critical Infrastructure Protection and Compliance Policy (OCIP)
- Secret Service
- Reflections on the Tenth Anniversary of The 9/11 Commission Report (July 2014)
- Beyond Data Breaches: Global Interconnections of Cyber Risk (April 2014)
- New York State: Department of Financial Services – Cybersecurity Resource Center
- Cisco Cybersecurity Reports
- Verizon Data Breach Investigations Report (2023)