Lincoln Financial Unit Hit with $650K Fine Over Data Hack
The Financial Industry Regulatory Authority censured Lincoln Financial Securities Corp., a Lincoln Financial Network broker-dealer, and fined it $650,000 for failing to reasonably safeguard confidential customer data, according to a letter of settlement posted on the regulator’s website on Tuesday.
The penalty highlights the increasing importance Finra is putting on cybersecurity and data privacy issues at firms ranging from wirehouses to robo-advisors and the need for vigilance in overseeing the integrity of core operating systems. Earlier this week, Cetera Financial Group’s 9,000 independent brokers lost access to key systems for almost two days due to a still-unexplained systems outage.
The Lincoln Financial fine originated with the parent company’s 2011 decision to use a cloud-based computer server for data storage, according to the Finra enforcement letter.
Users with foreign internet protocol addresses hacked the server and accessed confidential records of approximately 5,400 customers, Finra said. The data included account applications and customers’ social security numbers, according to the letter of acceptance signed by Lincoln Financial.
In an indication of the increasing complexity of guarding against cyberattacks, the regulator said Lincoln failed to ensure that the third-party vendor that configured the cloud server had properly installed antivirus software or data encryption for the stored documents.
A spokesman for Lincoln Financial Group, which did not admit nor deny guilt in the settlement document, did not respond to a request for comment.
The brokerage unit of the life insurance and annuities company notified affected customers and offered them free credit monitoring for one year, according to the settlement letter. It said no hacked client information has to date resulted in identity theft.
As part of the settlement, Lincoln Financial Securities agreed to a revamp of its administration and consolidated report retention controls that will include hiring of additional security personnel and implementation of new cybersecurity technology.
In addition to accepting Finra’s charges of supervisory lapses from 2011 to 2015, Lincoln Financial also accepted the regulator’s charge that it failed to maintain and enforce a system to ensure preservation, retention and review of consolidated reports that brokers gave to clients from the end of 2010 through the end of 2013.
Lincoln Financial , which has more than 8,500 producing reps and more than 1,100 advisors, according to an Investment News survey, paid an earlier $450,000 fine to settle Finra charges that in 2011 it had inadequate supervisory systems for ensuring the confidentiality of customer information stored on its web-based electronic portfolio management system, according to the settlement document.
The Securities and Exchange Commission in 2015 issued a risk alert on cybersecurity and made it an exam priority after finding that 88% of broker-dealers and 74% of registered investment advisers had experienced cyber-attacks or had security gaps.