Firms Settle FINRA Charges for Failing to Safeguard Customer Records

Two affiliated broker-dealers settled FINRA charges for lacking reasonable cybersecurity controls at branch offices. The failures resulted in multiple incidents that exposed thousands of customers' personal information.

According to the AWC, the firms allowed each of their branch offices to develop their own security and data loss prevention controls. FINRA found that neither firm required, and many of their branch offices lacked, data loss prevention controls such as multi-factor authentication for email accounts, encryption for outbound emails with customers’ nonpublic personal information and maintenance of email access logs. FINRA found that each firm experienced numerous cyber intrusions allowing unauthorized third parties to gain access to customers’ nonpublic personal information, including social security numbers, dates of birth, bank account numbers and drivers’ license information.

FINRA said that after the intrusions, the firms followed their cybersecurity incident response policies, engaged outside cybersecurity consultants to assist with incident responses and notified affected customers as well as FINRA. However, neither firm improved their cybersecurity procedures for branch offices, nor did individual branch offices at the firms improve their controls. In addition, the firms did not implement firm-wide procedures to require encryption of customers’ nonpublic personal information in outgoing emails.

FINRA concluded that the firms violated FINRA Rule 30(a) of Regulation S-P ("Procedures to safeguard customer records and information; disposal of consumer report information"), Rule 3110 ("Supervision") and Rule 2010 ("Standards of Commercial Honor and Principles of Trade").

To settle the charges, each firm individually agreed to (i) a censure and (ii) a $150,000 fine.