The Financial Industry Regulatory Authority fined two Osaic broker/dealers $150,000 each for lacking cyber security safeguards that could have prevented “numerous” cyber intrusions, according to the regulator.
The settlement against Osaic Wealth (formerly Royal Alliance) and Securities America details cyber security failures which allegedly occurred between January 2021 and March 2023. Last year, Osaic announced plans to join its eight brokers/dealers into a single entity. At the time of the errors, both Royal Alliance and Securities America were not involved in Osaic Wealth, its b/d entity.
Both firms relied on an “enterprise-grade” cyber program provided by Osaic. However, before March 2023, both firms' procedures allowed independent branches to conduct their own security and data loss prevention controls, FINRA alleges.
According to the settlement, many branches lacked “controls to prevent data loss, such as multi-factor authentication for all email accounts, encryption for outgoing emails with non-public personal information of customers and maintenance of email account logs electronic”. (Account logs can be used to track activity within an account, including potential violations.)
FINRA examiners had already put Royal Alliance and Securities America “on notice” for inadequate cyber protections at their branch offices. In December 2022, the firms requested that branch offices be updated on “minimum security and data loss prevention controls” by March 2023.
However, during this time period, hackers took advantage of the vulnerabilities and firms suffered several cyber intrusions, many of which involved receiving emails that could have been stopped by multi-factor authentication.
Royal Alliance suffered 16 breaches, with approximately 28,000 non-public personal customer information exposed (this could include social security numbers, dates of birth, bank account numbers and driver's license information). Securities America was hit by eight cyber intrusions, exposing the data of at least 4,640 clients.
After each breach, b/ds brought in third-party cybersecurity consultants, notified clients whose data was inadvertently released and informed FINRA, according to the settlement.
But by March 2023, both firms updated their branch offices to minimum cybersecurity requirements, according to FINRA. By March, every firm required multi-factor authentication on all e-mail accounts that conduct business for the firm and more oversight.
Both b/ds agreed to a censure and fine of $150,000 without admitting or denying the allegations.
A spokesman for Osaic declined a request to comment for this article.