Osaic, Securities America fined by Finra over cybersecurity

The Financial Industry Regulatory Authority Inc. on Thursday fined Osaic Wealth Inc. and Securities America Inc. $150,000 each for failures related to protecting thousands of clients' private information and cybersecurity gaffes from January 2021 through last March.

Both firm are part of the broader Osaic network of broker-dealers, which until last year was dubbed Advisor Group.

The problems regarding client information were concentrated at various branch offices of the two firms, according to Finra.

"Until March 2023, neither Osaic Wealth nor Securities America required, and therefore many of their branch offices lacked, data loss prevention controls such as multi-factor authentication for all email accounts, encryption for outbound emails with customers’ nonpublic personal information, and maintenance of email access logs," according to the Finra settlement.

The firms were cited for violating Regulation S-P, a bedrock rule of the securities industry that prohibits disclosure of nonpublic personal information about clients to nonaffiliated third parties, such as other broker-dealers.

Multifactor authentication for electronic communications is widely regarded as a basic necessity for a financial services firm.

Both Osaic Wealth and Securities America agreed to the settlement with Finra but neither admitted to or denied Finra's findings. They were also censured over the matter.

An Osaic spokesperson said the firm declined to comment.

Advisor Group last year reported a data breach involving private client data, including Social Security numbers, to the state of Massachusetts.

"Multifactor authentication is something larger firms should have implemented already," said Max Schatzow, an industry attorney. "It's a relatively easy thing for a firm to get up and running from an infrastructure perspective, and it goes a long way to protecting clients."

Osaic Wealth and Securities America were on notice from Finra examinations prior to the relevant period that they lacked reasonable cybersecurity controls at branch offices, according to Finra.

"In addition, during the relevant period, each firm experienced numerous cyber intrusions, many of which involved email takeovers that could have been prevented by, for example, multi-factor authentication," according to the Finra settlement. "The intrusions allowed unauthorized third parties to gain access to customers’ nonpublic personal information including, among other things, Social Security number, dates of birth, bank account numbers, and drivers’ license information."

Osaic Wealth experienced 16 cyber intrusions resulting in the exposure of the nonpublic personal information of approximately 28,000 customers, according to Finra. Meanwhile, Securities America experienced eight cyber intrusions resulting in the exposure of the nonpublic personal information of at least 4,640 customers.

"Following each of the intrusions described above, Osaic Wealth and Securities America followed their cybersecurity incident response policies, engaged outside cybersecurity consultants to assist with incident responses, and notified affected customers as well as Finra," according to the Finra settlement. "However, until March 2023, neither Osaic Wealth nor Securities America enhanced their minimum cybersecurity requirements for branch offices, nor did individual branch offices at both firms enhance their controls to require, for example, multi-factor authentication throughout the relevant period."