Skip to main content

What happens when an OSJ doesn’t safeguard the cloud?

By 02.17.17May 10th, 2019No Comments

By:  Charles Paikert – senior editor with Financial Planing, a SourceMedia publication
IBDs: Keep your head — or some IT supervision — in the cloud.

Independent broker-dealer Lincoln Financial Securities found out the hard way what happens when an OSJ’s cloud server vendor fails to protect customer information from hackers.

As part of a FINRA enforcement action, the Fort Wayne, Indiana-based firm agreed to a censure and a $650,000 fine for failing to reasonably “safeguard confidential customer data” and “supervise and retain consolidated reports.”

According to FINRA, foreign hackers penetrated the OSJ’s cloud-based servers and had access to customers’ nonpublic personal information. In a letter of acceptance, waiver and consent, FINRA faulted Lincoln for failing to monitor or test the third party vendor’s information security.


FINRA also alleged that the IBD failed to adopt reasonable data security policies that included specific firewall policies and related testing, and cited violations of Rule 30 of Regulation S-P, which requires the protection of customer records and information.

In a statement, Lincoln “accepted and consented to the AWC, without admitting or denying the findings.” The firm said it has implemented “corrective actions or enhancements” to address the security of confidential customer information and account statements.

“Firms must go the extra mile to protect customer information and not just rely on hiring a third party,” warned financial consultant Cipperman Compliance Services, in one of its regulatory releases. “FINRA will hold broker-dealers strictly liable for data breaches, even those occurring at the vendor.”

Legal cybersecurity expert Kenneth Rashbaum agrees.

“FINRA has sent a loud and clear message that broker dealers are ultimately responsible for data that place with third parties,” says Rashbaum, partner and head of privacy and cybersecurity practice at Barton in New York. “This is settled law but the agency by the amount of the fine apparently believes a reminder is necessary due to the growing amount of data placed with third parties such as cloud providers.”

Leave a Reply