CSG Law Alert: FINRA’s May 2024 Monthly Disciplinary Actions Report – FINRA Signals More Aggressive Approach to Cybersecurity Cases

Until now, FINRA’s approach to firms’ compliance with their cybersecurity obligations could be described as “light-touch.” Perhaps wary of revictimizing the victims, FINRA rarely disciplined broker-dealers that suffered cyber-attacks. Instead, FINRA focused on assisting firms in strengthening their cybersecurity defenses by, among other things, issuing cybersecurity guidance, conducting training on cybersecurity issues, and publishing alerts on the latest cybersecurity threats. FINRA’s May 2024 Disciplinary Actions Report—which contains a case charging two broker-dealers for having allegedly inadequate cybersecurity controls—may be a sign that FINRA’s approach has changed, and the gloves are now off.

The two firms charged in the matter of Osaic Wealth, Inc., et al. each self-reported to FINRA that the firms had been the victims of one or more cybersecurity incidents. Although the Letter of Acceptance, Waiver and Consent (“AWC”) contains few details concerning the nature of these incidents, it states that many “involved email takeovers.” The AWC notes that, following each such incident, the firms (1) followed their cybersecurity incident response policies, (2) engaged outside cybersecurity consultants to assist with incident responses, and (3) notified affected customers and FINRA. Nevertheless, FINRA charged both firms with failing to maintain a supervisory system reasonably designed to safeguard customer information and fined each firm $150,000.

What warranted formal disciplinary action in this case? FINRA noted that certain branch offices of the broker-dealers did not have “data loss prevention controls” such as (1) multi-factor authentication for all email accounts, (2) encryption of outbound emails containing customer personal information, and (3) email access logs. FINRA also cited the fact that prior FINRA examinations had put both firms “on notice” that their cybersecurity controls were lacking.

Firms can draw several lessons from the Osaic case.

First, multi-factor authentication is a must. Here, FINRA charged the firms with failing to supervise for compliance with the Safeguards Rule of Regulation S-P. Although there is nothing in the Safeguards Rule that specifically requires firms to implement multi-factor authentication, the lack of multi-factor authentication seems to have been the primary factor driving FINRA’s findings of a violation. Indeed, in an AWC that is otherwise scant on factual findings, FINRA repeatedly admonished the firms for not mandating multi-factor authentication: “neither [firm] required … data loss prevention controls such as multi-factor authentication”; “email takeovers … could have been prevented by, for example, multi-factor authentication”; and “nor did individual branch offices … enhance their controls to require, for example, multi-factor authentication.”

Second, as we pointed out in a prior update, previous cautionary action letters (CALs) and exam findings can come back to haunt you. Indeed, the Osaic AWC states that the firms “were on notice from FINRA examinations prior to the relevant period that they lacked reasonable cybersecurity controls at branch offices.”

Finally, self-reporting potential violations to FINRA and promptly fixing the problem may not dissuade FINRA from pursuing formal disciplinary action. Here, both firms self-reported the breaches to FINRA. Both firms engaged outside cybersecurity consultants to assist with their response and remediation. And both firms fixed the problems a year before the AWC was issued. Nevertheless, not only did FINRA bring formal disciplinary action against both firms, but there is no indication in the AWC that either firm received any “credit” for these good deeds.

The charges in Osaic signal a significant shift by FINRA, and firms should be prepared for a more aggressive approach to cybersecurity cases.

Related Services

Securities Enforcement