If your firm is registered as a broker-dealer, investment advisor, or operates in the securities industry, SEC and FINRA are the two regulators that set the cybersecurity, recordkeeping, and operational rules you're required to follow — and both have gotten significantly more aggressive in recent years.
This one's part of the NerdSquad IT Dictionary — plain-English breakdowns of the regulators, frameworks, and acronyms that show up in compliance conversations.
SEC and FINRA are often mentioned together because they operate in overlapping territory — but they're different organizations with different authority and different enforcement approaches. Understanding which one applies to your firm (and how) is the starting point for any meaningful financial services IT compliance program.
SEC — Securities and Exchange Commission. The primary federal regulator for the U.S. securities markets. A government agency created by the Securities Exchange Act of 1934 in the aftermath of the 1929 stock market crash. The SEC oversees public company disclosures, investment advisors, broker-dealers, exchanges, and securities offerings. It writes and enforces the rules that govern securities markets.
FINRA — Financial Industry Regulatory Authority. A self-regulatory organization (SRO) — meaning it's a private organization authorized by Congress to regulate broker-dealers. FINRA isn't a government agency; it was created in 2007 through the consolidation of the NASD and the regulatory arm of the NYSE. Every broker-dealer registered with the SEC is also required to be a FINRA member and follow FINRA's rules.
Think of the SEC as the legislature and FINRA as the local sheriff. The SEC writes the laws; FINRA enforces them at the street level for broker-dealers, conducts exams, and adds its own rules on top. Investment advisors (RIAs) are regulated by the SEC (or state regulators, depending on AUM), while broker-dealers are regulated by both.
For IT and cybersecurity purposes, both regulators care about the same core questions: Are client records protected? Can you detect and respond to a breach? Are your systems and communications preserved in a way that allows for regulatory examination?
SEC oversight applies to:
FINRA oversight applies to:
If your firm is an RIA that doesn't also operate as a broker-dealer, FINRA doesn't directly regulate you — the SEC does. Many firms are dually registered, making both sets of rules applicable.
Neither the SEC nor FINRA has a single comprehensive cybersecurity rulebook equivalent to HIPAA's Security Rule. Instead, requirements come from a patchwork of rules, guidance, and examination findings. The most relevant:
SEC Regulation S-P (Privacy of Consumer Financial Information): Requires broker-dealers, investment companies, and RIAs to adopt written policies and procedures to protect customer financial information. The 2024 amendments to Reg S-P significantly expanded requirements, adding mandatory breach notification timelines (30 days for affected individuals), incident response program requirements, and formal oversight obligations for service providers. This is GLBA's equivalent in the securities world.
SEC Regulation S-ID (Identity Theft Red Flags): Requires certain financial institutions and creditors to implement written identity theft prevention programs to detect, prevent, and mitigate identity theft.
SEC Cybersecurity Risk Management Rules (2023): Public companies must now disclose material cybersecurity incidents within four business days of determining materiality, and annually disclose their cybersecurity risk management processes, strategy, and governance. Board-level cybersecurity oversight is now a required disclosure topic.
FINRA Rule 4370 — Business Continuity Plans: Requires member firms to create and maintain written business continuity plans (BCPs) that address how the firm will operate in the event of a significant business disruption. IT disaster recovery, backup systems, and alternative communication methods are core components.
FINRA Rule 3110 — Supervision: Requires firms to establish supervisory systems, including for electronic communications. Email and messaging archiving requirements flow from this rule.
Books and Records Rules (SEC Rules 17a-3 and 17a-4, FINRA Rule 4511): These are the recordkeeping rules that have significant IT implications. Broker-dealers must preserve certain records for defined periods (3–6 years depending on record type), in a format that is non-rewriteable and non-erasable for electronic records — which is exactly what WORM storage was designed for. These rules are strictly enforced; FINRA and the SEC have issued nine-figure fines to major firms for recordkeeping failures involving communication platforms like WhatsApp and Signal.
Starting in 2021, the SEC and FINRA launched an unprecedented enforcement campaign targeting financial firms that allowed employees to conduct business-related communications on personal devices and unapproved messaging apps. The firms weren't capturing and retaining those communications as required by the books and records rules.
The result: more than $2.5 billion in penalties assessed against major Wall Street firms between 2021 and 2024 for off-channel communications failures alone. The firms included household names across investment banking, asset management, and broker-dealer operations.
The lesson for IT: if your firm's employees are using personal phones, WhatsApp, iMessage, or any unapproved platform for business-related communications, that's an active regulatory exposure — not a theoretical one.
Both regulators conduct routine examinations (exams) of firms they oversee. These are not investigations — they're scheduled or surprise reviews of firm operations, compliance programs, and records. Cybersecurity has become a standing examination topic for both regulators.
Examiners typically request evidence of:
Firms that can't produce this documentation during an exam face deficiency letters, follow-up examinations, and in serious cases, formal enforcement referrals.
Financial services firms under SEC and FINRA oversight have some of the most demanding IT compliance requirements of any industry. A capable MSP working with these firms needs to support:
Financial services firms are among the most compliance-layered businesses in existence. SEC and FINRA requirements sit on top of, not instead of, other applicable frameworks:
Financial services IT compliance is a specialization — the combination of recordkeeping rules, cybersecurity requirements, and examiner expectations is unlike anything in other industries. If your firm is under SEC or FINRA oversight and you're not confident your IT environment would hold up to an exam, that's worth a conversation.