The Financial Industry Regulatory authority is requiring Osaic Wealth and Securities America to each pay a $150,000 fine over cyber breaches that resulted in each firm experiencing numerous cyber intrusions, many of which involved email takeovers that could have been prevented by, for example, multi-factor authentication.
The intrusions, according to FINRA's order, allowed unauthorized third parties to gain access to customers' nonpublic personal information including, among other things, Social Security numbers, dates of birth, bank account numbers and drivers' license information.
Osaic Wealth and Securities America both self-reported cybersecurity incidents that occurred at branch offices of each firm.
Specifically:
- Osaic Wealth experienced 16 cyber intrusions resulting in the exposure of the nonpublic personal information of approximately 28,000 customers.
- Securities America experienced eight cyber intrusions resulting in the exposure of the nonpublic personal information of at least 4,640 customers.
FINRA charged both Osaic and Securities America with violating the Safeguards Rule, which requires that broker-dealers "adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information."
A violation of the Safeguards Rule or FINRA Rule 3110 also constitutes a violation of FINRA Rule 2010, which requires FINRA members, in the conduct of their business, to "observe high standards of commercial honor and just and equitable principles of trade."
Osaic Wealth has approximately 7,400 registered representatives and 3,400 branch offices.
Until June 30, 2023, Osaic Wealth was known as Royal Alliance Associates Inc.