Osaic, Securities America fined by Finra over cybersecurity

Osaic, Securities America fined by Finra over cybersecurity
The regulator fined the firms $150,000 each for failures related to protecting thousands of clients’ private information and cybersecurity gaffes.
MAR 15, 2024

The Financial Industry Regulatory Authority Inc. on Thursday fined Osaic Wealth Inc. and Securities America Inc. $150,000 each for failures related to protecting thousands of clients' private information and cybersecurity gaffes from January 2021 through last March.

Both firm are part of the broader Osaic network of broker-dealers, which until last year was dubbed Advisor Group.

The problems regarding client information were concentrated at various branch offices of the two firms, according to Finra.

"Until March 2023, neither Osaic Wealth nor Securities America required, and therefore many of their branch offices lacked, data loss prevention controls such as multi-factor authentication for all email accounts, encryption for outbound emails with customers’ nonpublic personal information, and maintenance of email access logs," according to the Finra settlement.

The firms were cited for violating Regulation S-P, a bedrock rule of the securities industry that prohibits disclosure of nonpublic personal information about clients to nonaffiliated third parties, such as other broker-dealers.

Multifactor authentication for electronic communications is widely regarded as a basic necessity for a financial services firm.

Both Osaic Wealth and Securities America agreed to the settlement with Finra but neither admitted to or denied Finra's findings. They were also censured over the matter.

An Osaic spokesperson said the firm declined to comment.

Advisor Group last year reported a data breach involving private client data, including Social Security numbers, to the state of Massachusetts.

"Multifactor authentication is something larger firms should have implemented already," said Max Schatzow, an industry attorney. "It's a relatively easy thing for a firm to get up and running from an infrastructure perspective, and it goes a long way to protecting clients."

Osaic Wealth and Securities America were on notice from Finra examinations prior to the relevant period that they lacked reasonable cybersecurity controls at branch offices, according to Finra.

"In addition, during the relevant period, each firm experienced numerous cyber intrusions, many of which involved email takeovers that could have been prevented by, for example, multi-factor authentication," according to the Finra settlement. "The intrusions allowed unauthorized third parties to gain access to customers’ nonpublic personal information including, among other things, Social Security number, dates of birth, bank account numbers, and drivers’ license information."

Osaic Wealth experienced 16 cyber intrusions resulting in the exposure of the nonpublic personal information of approximately 28,000 customers, according to Finra. Meanwhile, Securities America experienced eight cyber intrusions resulting in the exposure of the nonpublic personal information of at least 4,640 customers.

"Following each of the intrusions described above, Osaic Wealth and Securities America followed their cybersecurity incident response policies, engaged outside cybersecurity consultants to assist with incident responses, and notified affected customers as well as Finra," according to the Finra settlement. "However, until March 2023, neither Osaic Wealth nor Securities America enhanced their minimum cybersecurity requirements for branch offices, nor did individual branch offices at both firms enhance their controls to require, for example, multi-factor authentication throughout the relevant period."

Why precious metals belong in a diversified portfolio

Latest News

Why fixed income still belongs in your clients' portfolios
Why fixed income still belongs in your clients' portfolios

In an era of AI euphoria and market FOMO, getting back to basics with fixed income may be the most contrarian and most important move advisors can make.

Voya expands advisor managed accounts to add private market assets
Voya expands advisor managed accounts to add private market assets

Voya Financial adds private equity, credit and real estate options to its AMA program, building on support for looser federal investment rules in retirement accounts.

With executives leaving, Osaic’s Reid now in the spotlight
With executives leaving, Osaic’s Reid now in the spotlight

Shannon Reid, president of Osaic and the network’s number two executive, has plenty of challenges, industry executives said.

Investors sue crypto fund and platform, alleging $1.5 million never returned
Investors sue crypto fund and platform, alleging $1.5 million never returned

Auditors flagged the commingling. The COO allegedly knew. Investors kept getting the pitch

Wells Fargo nabs $1.7B RBC advisor team, loses two teams to LPL
Wells Fargo nabs $1.7B RBC advisor team, loses two teams to LPL

The advisors on the move include two brothers leading a family practice in Connecticut, and a husband-and-wife tandem working with business owners in the West Coast.

SPONSORED Who builds the income when the pension disappears?

Dan Biagini of American Equity says the steady decline of pensions, longer lifespans and a reset in interest rates are rewriting how advisors build retirement income

SPONSORED Why direct indexing stopped being optional

Direct indexing is on pace to outgrow ETFs and mutual funds. Northern Trust's Ken Lassner explains why the advisors who get it wish they had started sooner.