Firm Fined for Inadequate Cybersecurity and Customer Data Protection
Broker-Dealers
Cybersecurity
January 31, 2024
The Case
The firm failed to establish and maintain a supervisory system reasonably designed to safeguard customer records and information in violation of Rule 30(a) of Regulation S-P.
The firm needed stronger cybersecurity practices, including:
a system for monitoring all third-party access to firm systems
limiting third-party service providers’s access to the firm’s production data and systems
ensuring that any approved third-party service provider’s access to the firm’s production environment was logged and monitored
requiring multi-factor authentication for third-party service providers
implementing endpoint detection and response and security operations center monitoring of all access to firm systems, including third-parties
Why Does This Matter?
The action’s emphasis on cybersecurity reflects the SEC’s heightened focus on registered investment advisers adopting and implementing cybersecurity policies and procedures. Some of the key concerns highlighted by this and previous actions include:
transparency of data breach disclosures
multi-factor authentication for email accounts
security of cloud-based email accounts, and
the importance of implementing an adequate incident response plan.
Based on recent legislation ushering in stricter customer data protection rules and disclosure requirements, fintechs must maintain cybersecurity measures and protect client data.
Were similar regulations enforced in countries outside the US?
Data privacy ramped up globally in 2023, with some of the critical new regulations on a global scale, including the following:
Switzerland (Swiss Federal Data Protection Act)
Saudi Arabia (Saudi Arabia Personal Data Protection Law)
India (Digital Personal Data Protection Act)
EU (EU-US Data Privacy Framework, Digital Services Act, Digital Markets Act)
InnReg's Experience
Since its inception in 2013, InnReg has developed deep expertise in compliance services related to customer data protection and cybersecurity measures as part of its work during FINRA examinations and managing compliance programs for a wide range of fintechs.
Learn More About This Topic
For additional insights, read InnReg’s free Data Protection Compliance Checklist to help you build best practices to meet evolving regulatory requirements.
Blockchain
The Securities and Exchange Commission has charged an entity with operating as an unregistered dealer in more than $2 billion of crypto assets offered and sold as securities, violating the registration requirements of the federal securities laws designed to protect investors.
All Fintech
The SEC's Division of Examinations announced its 2025 priorities, focusing on areas that pose heightened risk to investors and market integrity.
All Fintech
Both FINRA and the SEC have expressed concerns about using social media influencers ("finfluencers") in the financial services industry, particularly regarding compliance with advertising rules, supervision, and investor protection.
