Emergency Preparedness and Cybersecurity for Financial Services Firms

When most financial services firms think about emergency preparedness, they picture natural disasters — floods, fires, power outages. But the incidents most likely to shut down a modern accounting firm, advisory practice, or broker-dealer are cyber events: ransomware that encrypts your client data, a phishing attack that compromises wire transfer instructions, or a cloud provider outage that takes your trading platform offline. The regulators know this. FINRA Rule 4370, the FTC Safeguards Rule, and SEC guidance all require financial institutions to maintain business continuity plans that address cybersecurity disruptions with the same rigor as physical emergencies. If your emergency plan doesn't include a cyber incident response component, it's incomplete — and you're out of compliance.

What Does FINRA Rule 4370 Require for Business Continuity?

FINRA Rule 4370 requires every member firm to create and maintain a written business continuity plan (BCP) identifying procedures for responding to an emergency or significant business disruption. The plan must be reasonably designed to ensure the firm can meet its existing obligations to customers, even during a crisis. At minimum, FINRA requires the BCP to address:

• Data backup and recovery — both hard copy and electronic records, including client account data, transaction histories, and financial records
• All mission-critical systems — trading platforms, portfolio management software, CRM systems, email, and communications infrastructure
• Financial and operational assessments — procedures for evaluating the firm's financial condition and operational capability during a disruption
• Alternate communications — backup methods for reaching customers, employees, counterparties, and regulators when primary channels are unavailable
• Alternate physical locations — plans for relocating employees if the primary office is inaccessible
• Regulatory reporting — procedures for continuing to meet filing obligations during a disruption
• Customer access to funds and securities — the plan must address how customers will access their assets if the firm cannot continue operations

A registered principal must approve the plan, and the firm must conduct an annual review. FINRA also requires firms to disclose their BCP to customers at account opening and post it on the firm's website. The 2025 FINRA Annual Regulatory Oversight Report explicitly links BCP obligations to cybersecurity, noting that cyber incidents can compromise a firm's ability to comply with Rule 4370 and other regulatory requirements.

How Does the FTC Safeguards Rule Fit Into Emergency Preparedness?

The FTC's revised Safeguards Rule, which applies to non-bank financial institutions including accounting firms, tax preparers, financial advisors, and mortgage brokers, requires covered entities to maintain a written incident response plan as part of their information security program. Under Section 314.4(h), the plan must address:

• Roles and responsibilities of the incident response team
• Internal escalation procedures for responding to security events without undue delay
• Communication protocols for notifying internal stakeholders, external counsel, law enforcement, and affected customers
• Documentation and evidence preservation requirements
• Post-incident review — a feedback loop where lessons learned from each incident or tabletop exercise are incorporated back into the plan

The Safeguards Rule also requires financial institutions to report data breaches affecting 500 or more consumers to the FTC within 30 days of discovery. The breach notification requirement, which took effect in May 2024, means your incident response plan must include specific procedures for determining breach scope, assessing whether the notification threshold has been met, and executing the FTC reporting process within the required timeline.

Critically, the Safeguards Rule requires a designated Qualified Individual to oversee your information security program and provide an annual written report to the board of directors covering compliance status, risk assessment results, security events, and recommendations. If your emergency preparedness plan exists separately from your cybersecurity program, you have a documentation gap that auditors and regulators will find.

Why Do Financial Firms Need Unified Physical and Cyber Emergency Plans?

The distinction between physical and cyber emergencies is increasingly artificial. Consider the real scenarios financial services firms face:

• Ransomware during tax season: A CPA firm gets hit with ransomware in March, encrypting client tax files, engagement letters, and the practice management database. The firm can't file returns, can't access client records, and faces IRS deadlines. This is simultaneously a cybersecurity incident and a business disruption requiring BCP activation.
• Cloud provider outage: Your portfolio management platform, hosted by a third-party SaaS vendor, goes offline for 48 hours. Client trades can't execute, reporting stops, and your fiduciary obligations are at risk. Your BCP must address third-party service provider dependencies.
• Wire fraud via business email compromise: An attacker impersonates a client via compromised email and instructs a wire transfer. The fraud isn't discovered until the client calls. This triggers both your incident response plan and potentially your FINRA regulatory reporting obligations.

The 2025 FDIC Report on Cybersecurity and Resilience emphasized that cyber events now represent the most significant operational risk to financial institutions, often exceeding the impact of natural disasters in both duration and cost. Financial firms that maintain separate physical emergency plans and cyber incident response plans risk gaps in coverage, duplicated responsibilities, and delayed response times.

What Should a Financial Services Emergency Preparedness Plan Include?

A comprehensive plan that satisfies both FINRA BCP requirements and FTC Safeguards Rule obligations should include these components:

• Unified incident classification system: Define severity levels that apply to both physical and cyber events. A Category 1 event might be a localized power outage; a Category 4 event might be a ransomware attack affecting all production systems.
• Recovery time objectives (RTOs): Define how quickly each mission-critical system must be restored. For broker-dealers, trading platforms may require RTOs measured in hours. For accounting firms, practice management and document storage systems are the priority.
• Immutable backup strategy: Maintain encrypted, offline or air-gapped backups of all critical data. Ransomware groups specifically target backup systems — your backups must be isolated from your production network. Test restoration quarterly.
• Communication tree: Document who contacts whom, in what order, using what channels. Include backup communication methods (personal cell phones, secondary email domains) in case primary systems are compromised.
• Vendor and third-party dependencies: Map every critical vendor — your cloud provider, your custodian, your CRM vendor, your phone system — and document their SLAs, their BCP commitments, and your fallback procedures if they go down.
• Regulatory notification checklist: FINRA, SEC, FTC, and state regulators may all require notification depending on the nature of the incident. Document the triggers, timelines, and responsible parties for each.
• Tabletop exercises: Run at least two tabletop exercises per year — one physical scenario and one cyber scenario. Include senior leadership and key operational staff. Document findings and update the plan accordingly.

What Are the Most Common BCP Failures in Financial Services?

Based on regulatory examination findings and real-world incidents, the most frequent gaps include:

• Plans that haven't been updated since initial creation: FINRA requires annual review, but many firms treat this as a checkbox exercise rather than a meaningful assessment of whether the plan still reflects their actual operations, technology stack, and staffing.
• No cyber component: Some firms still maintain BCPs that only address physical disruptions — office relocation, paper record recovery — without addressing the cyber scenarios that are statistically far more likely to occur.
• Untested backups: Firms assume their backups work without ever performing a test restoration. When ransomware hits, they discover the backups are corrupted, incomplete, or not configured to capture all critical data.
• Missing vendor dependencies: If your entire practice runs on a cloud-hosted platform and that platform goes down, your BCP must address this. Many plans don't account for third-party service provider failures.
• No designated Qualified Individual: Under the FTC Safeguards Rule, firms with customer information on 5,000 or more consumers must designate a Qualified Individual to oversee the security program. Many firms haven't made this designation or haven't empowered that person to drive real change.

What Should Financial Services Firms Do Next?

Emergency preparedness for financial services is no longer just about weather events and office relocations. Cyber incidents are now the leading cause of business disruption in the financial sector, and regulators at every level — FINRA, SEC, FTC, and state attorneys general — expect your business continuity plan to reflect this reality.

At NorthStar Technology Group, we work with accounting firms, financial advisors, and broker-dealers to build unified emergency preparedness programs that satisfy both FINRA Rule 4370 BCP requirements and FTC Safeguards Rule obligations. That includes designing backup architectures that survive ransomware, building incident response playbooks with regulatory notification timelines, running tabletop exercises, and ensuring your plan is a living document — not a binder collecting dust. Visit northstartechnologygroup.com/services to learn how we help financial services firms prepare for the disruptions that matter most.