FINRA Fines Osaic Wealth, Securities America Over Cyber Breaches

The Financial Industry Regulatory authority is requiring Osaic Wealth and Securities America to each pay a $150,000 fine over cyber breaches that resulted in each firm experiencing numerous cyber intrusions, many of which involved email takeovers that could have been prevented by, for example, multi-factor authentication.

The intrusions, according to FINRA’s order, allowed unauthorized third parties to gain access to customers’ nonpublic personal information including, among other things, Social Security numbers, dates of birth, bank account numbers and drivers’ license information.

Osaic Wealth and Securities America both self-reported cybersecurity incidents that occurred at branch offices of each firm.

Specifically:

• Osaic Wealth experienced 16 cyber intrusions resulting in the exposure of the nonpublic personal information of approximately 28,000 customers.
• Securities America experienced eight cyber intrusions resulting in the exposure of the nonpublic personal information of at least 4,640 customers.

FINRA charged both Osaic and Securities America with violating the Safeguards Rule, which requires that broker-dealers “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”

A violation of the Safeguards Rule or FINRA Rule 3110 also constitutes a violation of FINRA Rule 2010, which requires FINRA members, in the conduct of their business, to “observe high standards of commercial honor and just and equitable principles of trade.”

Osaic Wealth has approximately 7,400 registered representatives and 3,400 branch offices.

Until June 30, 2023, Osaic Wealth was known as Royal Alliance Associates Inc.

Securities America has approximately 3,400 registered representatives and 1,900 branch offices.

Between January 2021 and March 2023, the FINRA order explains, Osaic Wealth and Securities America each relied on an enterprise level cybersecurity program provided by their corporate parent, Advisor Group, which rebranded as Osaic in June.

“However, prior to March 2023, each firm’s WSPs permitted independent branch offices to develop their own security and data loss prevention controls,” the order states.

Until March 2023, “neither Osaic Wealth nor Securities America required, and therefore many of their branch offices lacked, data loss prevention controls such as multi-factor authentication for all email accounts, encryption for outbound emails with customers’ nonpublic personal information, and maintenance of email access logs,” the order states.

Osaic Wealth and Securities America were on notice from FINRA examinations prior to the relevant period that they lacked reasonable cybersecurity controls at branch offices, according to the order.

Since March 2023, each firm requires multi-factor authentication on all email accounts used to conduct firm business and oversight procedures for supervising adherence to the multi-factor authentication policy, FINRA’s order explains.