The Financial Industry Regulatory Authority fined two Osaic broker/dealers $150,000 each for lacking cybersecurity safeguards that might have prevented “numerous” cyber intrusions, according to the regulator.
The settlement against Osaic Wealth (formerly Royal Alliance) and Securities America details the cybersecurity lapses that allegedly occurred between January 2021 and March 2023. Last year, Osaic announced plans to merge its eight broker/dealers into a single entity. At the time of the lapses, both Royal Alliance and Securities America had not been rolled into Osaic Wealth, its b/d entity.
Both firms relied on an “enterprise-level” cyber program provided by Osaic. However, before March 2023, both firms’ procedures allowed independent branch offices to develop their own security and data loss prevention controls, FINRA claims.
Many branch offices didn’t have “data loss prevention controls such as multi-factor authentication for all email accounts, encryption for outbound emails with customers’ nonpublic personal information, and maintenance of email account logs,” according to the settlement. (Account logs can be used to follow activity within an account, including potential breaches.)
FINRA examiners had already put Royal Alliance and Securities America “on notice” for insufficient cyber protections at their branch offices. In December 2022, the firms demanded that branch offices get up to date on “minimum security and data loss prevention controls” by March 2023.
However, during this time period, hackers took advantage of the vulnerabilities, and the firms suffered several cyber intrusions, many involving email takeovers that could have been stopped by multi-factor authentication.
Royal Alliance suffered 16 breaches, with about 28,000 customers’ nonpublic personal information exposed (this could include Social Security numbers, dates of birth, bank account numbers and drivers’ license information). Securities America was hit by eight cyber intrusions, exposing the data of at least 4,640 customers.
After each breach, the b/ds brought in third-party cybersecurity consultants, notified the customers whose data was inadvertently released and informed FINRA, according to the settlement.
But it wasn’t until March 2023 that both firms got branch offices up to date on minimum cybersecurity needs, according to FINRA. By March, each firm required multi-factor authentication on all email accounts conducting firm business and more oversight.
Both b/ds agreed to a censure and the $150,000 fine without admitting nor denying the charges.
An Osaic spokesperson declined a request to comment for this article.