Cybersecurity has appeared in FINRA's Annual Regulatory Oversight Report every year since 2015. The 2026 report does not break that pattern — it expands expectations, adding AI-related cybersecurity risks and autonomous agent oversight to the existing framework.
2015
FINRA Cyber Priority
Every AROR since has included cybersecurity
Rule 4511
Books & Records
Log data is a regulatory obligation
Rule 3110
Supervision
All cybersecurity controls subject to oversight
Annual
IR Plan Testing
FINRA expects documented tabletop results
For FINRA member firms, cybersecurity is not a technology department concern. It is a compliance and supervision obligation. This article covers what the 2026 AROR requires, what examination staff will review, and what a FINRA-compliant cybersecurity governance program looks like.
What the 2026 AROR Requires on Cybersecurity
The 2026 FINRA AROR identifies the following cybersecurity governance expectations:
Identity and access management. FINRA expects firms to enforce least-privilege access principles, require multi-factor authentication, and perform comprehensive access reviews covering both human and non-human accounts (service accounts, API keys, automated processes). This is not new guidance — it is a recurring AROR finding because most firms still have gaps.
Risk assessments. Firms should regularly reassess their technology risk profile as the business and systems evolve. FINRA expects this to be a living process, not an annual checkbox. Significant technology changes — new AI tools, cloud migrations, new vendor relationships — should trigger interim risk assessments.
IT governance for AI and LLMs. The 2026 AROR specifically calls out governance and model risk frameworks for AI and LLM development and use, with strong documentation and data management controls. Cybersecurity requirements for AI include data quality, integrity, retention, and security — reflecting that AI systems introduce cybersecurity risks distinct from traditional software.
Configuration management. Firms must maintain an inventory of desktops, laptops, applications, and servers configured to firm standards. This is a foundational requirement that examination staff consistently find incomplete — particularly for remote endpoints and cloud-hosted applications.
Log management. Capture and retain log data from relevant sources based on regulatory and business needs. The 2026 AROR specifies that log data is both a cybersecurity tool (for incident detection) and a regulatory obligation (for examination and books and records purposes).
IT resiliency. Test both firm and vendor controls to confirm that critical systems can maintain acceptable service levels during disruptions. This includes documented business continuity and disaster recovery testing with results — not just a written plan.
Branch office procedures. For firms with branch offices, limit branch-managed servers, confirm devices are fully inventoried, and ensure branch technology is under the same governance framework as the home office. Branch cybersecurity governance gaps are a consistent examination finding.
Data backups. Regular encrypted, off-network backups with tested restoration capabilities. Examiners will ask when backups were last tested — not just whether they exist.
FINRA's Cybersecurity Enforcement Posture
FINRA cybersecurity enforcement actions result from either examination findings or breach incidents that reveal pre-existing governance failures. Common enforcement patterns include:
Off-channel communications and recordkeeping. While not exclusively a cybersecurity issue, the SEC and FINRA's enforcement focus on off-channel communications (WhatsApp, personal email, personal AI tools) reflects a broader concern about uncontrolled communications channels that create both compliance and cybersecurity risk. Firms with employees using personal devices for business communications without MDM enrollment and monitoring have both a recordkeeping problem and a cybersecurity problem.
Inadequate identity controls leading to customer account takeovers. FINRA examination findings consistently cite inadequate identity verification, insufficient MFA enrollment for customer accounts, and weak internal access controls as factors in customer harm events that result in enforcement referrals.
Vendor incidents revealing inadequate due diligence. When a vendor breach affects a FINRA member firm's customers, examiners review what due diligence the firm performed on the vendor's cybersecurity posture. Firms without documented vendor cybersecurity assessments face findings even when they were not the party that was breached.
The Specific Gaps Most FINRA Member Firms Have
Based on FINRA AROR language and examination finding patterns, the most common cybersecurity governance gaps at member firms are:
Incomplete asset inventories. Firms cannot manage cybersecurity risk for systems they do not know exist. Undocumented endpoints, cloud applications subscribed by individual employees, and shadow IT represent unmanaged attack surface. FINRA examination staff will ask for a current asset inventory.
MFA not fully deployed. Most firms have MFA on email and VPN but have not extended it to internal applications, cloud storage, trading systems, and administrative portals. Examiners will ask specifically about MFA coverage — not just whether MFA policy exists.
No formal vendor cybersecurity due diligence process. Vendor relationships that were established without cybersecurity assessment and that continue without ongoing monitoring. For firms using SaaS trading platforms, cloud CRM systems, or third-party compliance tools, the absence of vendor security documentation creates examination exposure.
⚠️ Warning
Access reviews not performed or not documented. Quarterly access reviews are a standard expectation but are frequently not documented. Former employees with active accounts, over-privileged service accounts, and dormant user accounts with system access are consistent examination findings.
IR plan not tested. A written incident response plan with no evidence of testing is a documentation exercise, not a governance control. FINRA expects documented tabletop exercise results or simulation testing on at least an annual basis.
Building a FINRA-Compliant Cybersecurity Governance Program
Asset Inventory
Document all hardware, software, cloud apps, and non-human accounts. Maintain continuously, review quarterly.
MFA Deployment
Enforce MFA on all systems — email, VPN, trading platforms, CRM, compliance tools, admin portals. No undocumented exceptions.
Access Reviews
Quarterly reviews with documentation. Automated deprovisioning tied to HR termination workflows.
Risk Assessment
Annual assessment using a recognized framework with findings tracked to remediation for examination.
Vendor Due Diligence
Documented evaluation process for all vendors with system access. Include contractual security provisions and ongoing monitoring.
IR Plan Testing
Annual tabletop exercise documentation, escalation matrix, and playbooks for ransomware, credential compromise, account takeover, and vendor breach.
Log Management
Security event logs from all critical systems to a centralized platform with alert rules and documented review.
The gap between having these components documented and having them technically enforced is the operational gap that creates the most examination and breach exposure. Policies describe intent. Infrastructure determines reality.
Log management and monitoring — security event logs from all critical systems forwarded to a centralized platform with alert rules and documented review process.
The gap between having these components documented and having them technically enforced is the operational gap that creates the most examination and breach exposure. Policies describe intent. Infrastructure determines reality.
Is your FINRA member firm's cybersecurity governance examination-ready?
Schedule your AI Governance Assessment. We evaluate cybersecurity and AI governance together.
