The SEC has made it clear that cybersecurity has been and will likely remain an examination priority. A new Acceptance, Waiver and Consent was recently published by FINRA and it reminds us of the importance of establishing written supervisory policies and procedures which are designed to address cybersecurity threats in an industry which has become more prone to hacking.
Lincoln Financial Services (“LFS”), a broker-dealer headquartered in Fort Wayne, Indiana, was fined $650,000 for failing to reasonably supervise and retain consolidated reports and for failing to reasonably safeguard confidential customer data. This post solely addresses the SEC’s determination regarding LFS’ protection of customer information. The SEC found that from 2011 to 2015, LFS failed to protect confidential customer information as it had not established, maintained and enforced a sufficient supervisory system.
The Securities Exchange Act of 1934 (“Exchange Act”) provides that firms are tasked with developing policies and procedures related to the protection of customer records and information. Written supervisory policies and procedures are insufficient unless they “. . . (a) insure the security and confidentiality of customer records and information; (b) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (c) protect against unauthorized access to or use of customer records or information; and (c) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.”
LFS violated the Exchange Act when international hackers accessed a cloud-based computer server on which customer information had been stored. Social security numbers and other non-public personal customer data was stored on the server. A third-party vendor which had been hired by the LFS OSJ in question, configured the server, however, LFS failed to ensure that antivirus software or data encryption for stored documents had been properly installed.
While LFS had a “Data Security Policy” to provide guidance to registered representatives regarding the storage of customer information, the SEC determined that the Policy fell short. For example, the Policy contained a provision requiring that firewalls be put in place, but it did not explain the type of firewall that was sufficient or how to install a firewall. Further, LFS failed to monitor or review the activities of the third-party vendor and its registered representatives to ensure that customer information stored on the server was in fact protected. “From at least 2011 through 2015, [LFS] failed to adequately test and verify the security of information stored on cloud servers at [LFS’] branch offices. LFS also had no method to learn if a server at one of its branches was hacked. As a result, LFS was fined $650,000. Please click here to read more about this AWC.
Please contact us if your firm is in need of a Cybersecurity Policy. Consultants at Red Oak can also revise your current Cybersecurity Policy and answer general questions related to Cybersecurity.