Lincoln Financial Group subsidiary, Indiana-based Lincoln Financial Securities Corp., has agreed to pay a $650,000 Financial Industry Regulatory Authority (FINRA) fine and tighten up its cybersecurity practices after hackers obtained sensitive information on 5,400 customers, FINRA reported Monday.
Breach Follows Recent FINRA Reprimand
This isn’t the first time Lincoln Financial Securities has been in trouble for less-than-adequate cybersecurity. In February 2011, FINRA fined the company $450,000 for insufficient cybersecurity on its electronic portfolio management system, according to the Law360 report. After the company’s 2011 penalty, it amended cybersecurity policies to offer guidance for representatives of cloud-based data storage. Unfortunately, this was insufficient to prevent another breach.
Lincoln Financial waited until November 2012 to adopt proper written supervisory procedures on cloud-based system customer data storage. Just months before, hackers gained entry into the Lincoln Financial Securities’ cloud server and accessed numerous files containing confidential customer information.
According to Milwaukee-based U.S. whistleblower attorney, Brian H. Mahany, FINRA has taken it easy on the company. “We feel the $650,000 fine was especially light. The company was fined $450,000 in 2011. Considering the cybersecurity breach in this case occurred just months after the prior violation, it is obvious that the company wasn’t doing its best to protect customer data.”
FINRA Mandates Robust Cybersecurity Protocols
FINRA regulations for brokerage firms require that members implement a cybersecurity protocol that incorporates written supervisory procedures to protect sensitive customer data like names, addresses, social security numbers and account information from unauthorized access. FINRA also requires that companies reasonably supervise and retain consolidated reports containing customer assets and account information.
From December 2010 to December 2013, FINRA claims that Lincoln Financial Securities used software to generate consolidated customer reports. This software permitted manual entry of customer asset data without written customer authorization, failed to backup documents for later authentication and audit, and was unable to produce consolidated reports at a later date. The only way to access customer reports was by going back into emails sent to customers. Lincoln Financial Securities did not require central storage of reports or filing of backup copies.
Lincoln Financial Services opened its cloud-based storage system in June of 2011. FINRA maintains that, at this time, the company failed to take required cybersecurity measures to protect customer information. Specifically, the company did not confirm proper installation of antivirus software and data encryption software by third-party vendors.
In addition, Lincoln Financial Services’ cybersecurity procedures failed to include detailed protocols for representatives. The policy required branch representatives to install firewalls, but did not specify details on minimum firewall requirements or installation instructions. The company also failed to confirm that representatives and third-party vendors followed company cybersecurity policy and took the appropriate steps to protect data stored on on-site office computers, Law360 reports.
“Lincoln Financial argued that it implemented a Data Security Policy that included a requirement that all computers have adequate firewalls. Regulators countered that the policy required individual employees to comply, folks with little technical expertise,” Mahany said. “Just as banks can’t use outsourcing to avoid cyber theft liability, they also can’t put the onus of compliance completely on workers.”
FINRA Fines $650K, Requests Corrective Action Protocol
These inadequacies in Lincoln Financial Securities’ cybersecurity practices resulted in FINRA violations and a $650,000 fine. On October 21, 2016, Lincoln Financial prepared a corrective action protocol that implements an increase in cybersecurity personnel and assessment of Lincoln’s cybersecurity systems, practices and policies by a panel of cybersecurity experts.
“The important takeaway here is that banks and other financial institutions can’t escape liability by simply outsourcing their data systems to third parties,” Mahany said. “The bank itself remains responsible in the event of a breach.”
FIRREA Offers Cash Awards for Tips on Inadequate Cybersecurity
Both banks and brokerage firms are required by law to implement adequate cybersecurity measures. Banks must immediately report any violations of cybersecurity requirements or indications of a cybersecurity breach to federal regulators. Because sensitive customer and bank information must be protected from hacks and cybertheft, cybersecurity violations by banks may also be in violation of the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA).
To provide incentive for insiders to report violations, the government pays cash awards to bankers, accountants, representatives and other financial professionals for information on cybersecurity flaws or breaches. Since award amounts are determined as a percentage of any fines imposed by the government, awards are substantial and can reach over $40 million.