FINRA Fines Firm for Failing to Safeguard Customer Data

A firm settled FINRA charges for failing to reasonably safeguard customer records and information.

FINRA found that an unauthorized user accessed a firm employee's email account and retained "unrestricted access to the nonpublic personal information of over 4,400 firm customers (including Social Security numbers, driver license numbers, and home addresses)" for more than three months. FINRA stated that while the firm was conducting a private offering, the unauthorized user used the compromised email account to "transfer ... over $1 million from the firm's escrow agent" to a bank account under the control of the unauthorized user. FINRA concluded that the firm failed to detect or prevent the intrusion until after the transfer occurred.

FINRA charged the firm for violating Regulation S-P Rule 30 ("Procedures to safeguard customer information, including response programs for unauthorized access to customer information and customer notice; disposal of customer information and consumer information") and FINRA Rules 3110 ("Supervision") and 2010 ("Standards of Commercial Honor and Principles of Trade"). 

FINRA noted that "upon discovering the cybersecurity breach," the firm identified the exposure of customer information, notified affected individuals and regulatory authorities, and offered "free credit monitoring" to impacted customers. As a result, FINRA gave the firm credit for following up by enabling multi-factor authentication, audit logs, alerts for suspicious activity and email forwarding rules.  

To settle the charges, the firm agreed to (i) a censure and (ii) pay a $50,000 fine.