FINRA Fines Firm for Failing to Safeguard Customer Information

A firm settled FINRA charges for failing to safeguard customer information held in a database outside the firm's data security network.  

According to the AWC, the firm maintained a trade reconciliation database containing customer names, account numbers, account values, and holdings on a web-based platform located outside the firm’s data security network. FINRA said the database was protected by multi-factor authentication and separate access credentials. FINRA found that only one employee ("Representative A") regularly accessed the database. FINRA said that, despite written supervisory procedures requiring the immediate termination of departing employees’ system access, the firm’s procedures did not address the reconciliation database, which was not monitored for unauthorized use.

FINRA found that when Representative A resigned, the firm disabled his access to other systems but failed to revoke his credentials to the reconciliation database. FINRA also found that several months after Representative A's resignation, Representative A accessed the system and downloaded reports containing information for approximately 8.2 million customers, including account values and holdings for roughly 3.4 million of them. FINRA noted that the reports did not include Social Security numbers, dates of birth, addresses, bank or payment card details, or login credentials, but nevertheless exposed significant nonpublic personal information.

FINRA said that upon discovery of the breach, the firm terminated Representative A’s access, activated its cybersecurity incident response plan, notified affected customers and regulators, and enhanced its supervisory systems, including migrating the database into its core security perimeter.

FINRA concluded that the firm violated Regulation S-P Rule 30 ("Procedures to safeguard customer information, including response programs for unauthorized access to customer information and customer notice; disposal of customer information and consumer information") and FINRA Rules 3110 ("Supervision") and 2010 ("Standards of Commercial Honor and Principles of Trade"). 

To resolve the matter, the firm agreed to (i) a censure and (ii) a $375,000 fine.