FINRA fines Osaic Wealth and Securities America for failing to prevent cyber intrusions
The Financial Industry Regulatory Authority (FINRA) has fined Osaic Wealth, Inc., formerly known as Royal Alliance Associates, Inc. and Securities America, Inc.
From January 2021 through March 2023, Osaic Wealth and Securities America each failed to establish and maintain a supervisory system, including written supervisory procedures (WSPs), reasonably designed to safeguard customer records and information.
Between January 2021 and March 2023, Osaic Wealth and Securities America each relied on an enterprise level cybersecurity program provided by their corporate parent. However, prior to March 2023, each firm’s WSPs permitted independent branch offices to develop their own security and data loss prevention controls.
Until March 2023, neither Osaic Wealth nor Securities America required, and therefore many of their branch offices lacked, data loss prevention controls such as multi-factor authentication for all email accounts, encryption for outbound emails with customers’ nonpublic personal information, and maintenance of email access logs.
Osaic Wealth and Securities America were on notice from FINRA examinations prior to the relevant period that they lacked reasonable cybersecurity controls at branch offices. In addition, during the relevant period, each firm experienced numerous cyber intrusions, many of which involved email takeovers that could have been prevented by, for example, multi-factor authentication.
The intrusions allowed unauthorized third parties to gain access to customers’ nonpublic personal information including, among other things, social security number, dates of birth, bank account numbers, and drivers’ license information. Specifically:
Osaic Wealth experienced 16 cyber intrusions resulting in the exposure of the nonpublic personal information of approximately 28,000 customers.
Securities America experienced eight cyber intrusions resulting in the exposure of the nonpublic personal information of at least 4,640 customers.
Following each of the intrusions, Osaic Wealth and Securities America followed their cybersecurity incident response policies, engaged outside cybersecurity consultants to assist with incident responses, and notified affected customers as well as FINRA.
However, until March 2023, neither Osaic Wealth nor Securities America enhanced their minimum cybersecurity requirements for branch offices, nor did individual branch offices at both firms enhance their controls to require, for example, multi-factor authentication throughout the relevant period. In addition, the firms did not implement firm-wide procedures to require encryption of customers’ nonpublic personal information in outgoing emails.
Since March 2023, each firm requires multi-factor authentication on all email accounts used to conduct firm business and oversight procedures for supervising adherence to the multi-factor authentication policy.
By failing to establish and maintain a supervisory system, including WSPs, reasonably designed to safeguard customer records and information, Osaic Wealth and Securities America violated the Safeguards Rule and FINRA Rules 3110 and 2010.
Osaic Wealth has consented to the imposition of a censure and a $150,000 fine. Securities America consented to the imposition of the same sanctions. SOURCE