The Financial Industry Regulatory Authority fined two Osaic broker/dealers $150,000 each for lacking cybersecurity safeguards that might have prevented “numerous” cyber intrusions, according to the regulator.
The settlement against Osaic Wealth (formerly Royal Alliance) and Securities America details the cybersecurity lapses that allegedly occurred between January 2021 and March 2023. Last year, Osaic announced plans to merge its eight broker/dealers into a single entity. At the time of the lapses, both Royal Alliance and Securities America had not been rolled into Osaic Wealth, its b/d entity.
Both firms relied on an “enterprise-level” cyber program provided by Osaic. However, before March 2023, both firms’ procedures allowed independent branch offices to develop their own security and data loss prevention controls, FINRA claims.
Many branch offices didn’t have “data loss prevention controls such as multi-factor authentication for all email accounts, encryption for outbound emails with customers’ nonpublic personal information, and maintenance of email account logs,” according to the settlement. (Account logs can be used to follow activity within an account, including potential breaches.)
FINRA examiners had already put Royal Alliance and Securities America “on notice” for insufficient cyber protections at their branch offices. In December 2022, the firms demanded that branch offices get up to date on “minimum security and data loss prevention controls” by March 2023.
However, during this time period, hackers took advantage of the vulnerabilities, and the firms suffered several cyber intrusions, many involving email takeovers that could have been stopped by multi-factor authentication.
Royal Alliance suffered 16 breaches, with about 28,000 customers’ nonpublic personal information exposed (this could include Social Security numbers, dates of birth, bank account numbers and drivers’ license information). Securities America was hit by eight cyber intrusions, exposing the data of at least 4,640 customers.
After each breach, the b/ds brought in third-party cybersecurity consultants, notified the customers whose data was inadvertently released and informed FINRA, according to the settlement.
But it wasn’t until March 2023 that both firms got branch offices up to date on minimum cybersecurity needs, according to FINRA. By March, each firm required multi-factor authentication on all email accounts conducting firm business and more oversight.
Both b/ds agreed to a censure and the $150,000 fine without admitting nor denying the charges.
An Osaic spokesperson declined a request to comment for this article.
Take a look at our comprehensive guide to the best and most popular information ebooks and products available today on Detoxing, Colon Cleansing, Weight Loss and Dating and Romance. They are all in one spot, easy to find and compere to make a quick selection for the product that best fits your needs or wants.
So browse through a category and make your preferred selection and come back here to read more choice articles and get a few more helpful tips on ways to help your enhancement.
As an Amazon Associate I earn from qualifying purchases. “saubiosaubiosuccess.com is a participant in third party affiliate and advertising programs; The Amazon Services LLC Associates Program, Awin network, and other affiliate advertising programs are designed to provide a means for sites to earn advertising fees and commissions by advertising and linking to products on other sites and on Amazon.com. Amazon and the Amazon logo are trademarks of Amazon.com, Inc, or its affiliates.”
We use anonymous cookies and various 3rd-party services to optimise and to offer you a better, more personalised, browsing experience with advanced accessibility enhancements.
Dismiss
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
