Data Security Failures Lead to $650,000 FINRA Fine and Censure

Less than a month ago, FINRA censured and fined Lincoln Financial Securities for data security failures; or more specifically, failing to reasonably safeguard confidential customer data. 

Just within the past couple years, many of you may have heard me saying it’s sufficient to just “do something; don’t do nothing” when it comes to data security.  More recently you may have instead heard me say that just doing something was no longer enough.  FINRA’s recent action against Lincoln Financial proves my point. 

Regulation S-P requires the adoption of “policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”  Those policies and procedures, according to FINRA, must be reasonably designed to: (a) insure the security and confidentiality of customer records and information; (b) protect against anticipated threats or hazards to the security or integrity of customer records and information; and (c) protect against unauthorized access to or use of customer records and information that could result in substantial harm or inconvenience to any customer. 

Although not all of you are necessarily FINRA members or connected to FINRA members, most of you are.   And those of you who are not should not lull yourself into thinking it does not affect you.  Similar requirements exist elsewhere.  Back to Regulation S-P and Lincoln Financial. 

Lincoln Financial accepted and consented to FINRA’s findings, including among other things that it:

  • Failed to audit its representatives’ computers to determine whether any of them may have been accessed without authority; and
  • Failed to ensure that a third party vendor hired to configure the company’s cloud based server properly installed antivirus software or data encryption for stored documents; and
  • Failed to create a detailed enough Data Security Policy (which said, for example, that firewalls must be used, but failed to provide its representatives with guidance on what type of firewall had to be installed and how to install such a firewall); and
  • Failed to monitor or audit vendors working to comply with the company’s new Data Security Policy; and
  • Failed to test and verify the security of information stored on its cloud based server.

The list of “failures” attributable to Lincoln Financial is instructive.  Assuming you have a data security policy in place – a critical assumption, you need to be taking proactive steps to ensure the policy is being implemented and tested. 

  • Have you had your computers tested and/or are you regularly testing them in an effort to determine if there has been any unauthorized access?  Most victims of a cyber attack have no clue until more than 200 days later.
  • How closely are you paying attention to and verifying the effectiveness of any third party vendors you are using?
  • Everywhere your policy requires something of those in your organization are you also giving them guidance and detail on how to comply?
  • Are you testing and monitoring your system for penetrations and weaknesses?

This list is partial at best.  At least though, use it as a starting point and self-test.  Hiring technical assistance to ensure compliance is cheap in the long run compared to the alternatives.