Proper security controls and vendor due diligence could have helped the broker-dealer avoid a $650,000 settlement with the Financial Industry Regulatory Authority (FINRA).
On November 14, a subsidiary of Lincoln Financial Group agreed to accept a $650,000 fine brought by FINRA to implement more robust security measures following a hacking that compromised the information of 5,400 clients. This case, over the firm’s safeguards for client data residing in the cloud, is a prime example of the risks firms take when they fail to implement strong security controls and properly assess their third-party vendors.
This is not the first time Lincoln Financial was reprimanded by FINRA for lax security measures. In 2011, Lincoln Financial Securities Corp, paid a $450,000 fine for alleged failure to protect confidential client data stored on its web-based portfolio management software. According to FINRA, since that time Lincoln Financial has not set up, maintained or enforced the necessary security measures to protect its customer confidential information – including written supervisory procedures and risk assessment documentation. From 2011 to 2015, Lincoln Financial allegedly left data stored at its branch offices unprotected, and at some point in 2012, hackers breached the cloud server of a branch office exposing the confidential data of about 5,400 clients.
According to FINRA and despite paying that previous fine, Lincoln Financial neglected to implement stronger security measures, neither providing its advisors with sufficient guidance on security, nor properly monitoring, testing or verifying the security of its cloud vendor to protect Lincoln’s customer information. All of these failures are violations of FINRA regulations.
Stronger Security Controls and Vendor Due Diligence
The Lincoln Financial case shows that whether due to mistakes or malice, uncontrolled data put in the wrong hands can lead to costly legal and reputational damage. RIAs and Broker Dealers must do everything they can to ensure the integrity of the firm’s information technology infrastructure. IT and security policies should not be generic but rather customized to reflect the business practices of the organization. Firms should consider placing specific references in their policies about employing the most up-to-date measures available and including easy-to-follow instructions on how to carry out these measures.
Thorough cybersecurity policies cover approved types of software, vendor due diligence, approved devices, data breach prevention, disaster recovery processes, which types of users should have access to which types of data, and much more – all while being tailored to the needs of the specific firm. Moreover, since technology evolves rapidly, policies also must be updated frequently. After all, outmoded policies are virtually useless.
The scope of the project is one reason firms seek out experts who specialize in this field. Industry-leading technology providers serving financial firms are best positioned to help RIAs and broker-dealers craft appropriate policies. Such providers understand the business, regulatory environment and types of software available to wealth managers. Furthermore, these providers can allow RIAs and broker-dealers to remain focused on their core competency instead of becoming distracted with IT infrastructure management.