According to FINRA, Securities America, Inc. (CRD #10205), based in La Vista, Nebraska, was fined $150,000 on March 14, 2024, for failing to establish a supervisory system reasonably designed to safeguard customer records and information in compliance with the Safeguards Rule. This action was part of a joint case that also included Osaic Wealth, Inc.FINRA's investigation found that Securities America, like its co-respondent, failed to implement adequate cybersecurity protections to safeguard the sensitive personal and financial information of its customers. The firm allowed branch offices to develop their own security controls without sufficient firm-level oversight, creating an inconsistent and inadequate patchwork of cybersecurity measures across the organization.Specifically, FINRA found that Securities America did not require multi-factor authentication (MFA) for accessing systems that contained customer information until March 2023. Multi-factor authentication is considered a baseline cybersecurity measure by industry standards and regulatory guidance, requiring users to verify their identity through multiple methods before gaining access to sensitive systems. The firm also failed to require email encryption, which left customer communications susceptible to interception by unauthorized parties. Furthermore, the firm did not maintain email access logs, undermining its ability to detect and investigate unauthorized access to customer information.These cybersecurity deficiencies were not merely theoretical risks. FINRA noted that the firm experienced numerous cyber intrusions as a result of its inadequate safeguards. Each intrusion represented a potential exposure of customer data, including names, account numbers, Social Security numbers, and other sensitive information that could be exploited for identity theft or financial fraud.The Safeguards Rule requires broker-dealers to implement written policies and procedures that provide for administrative, technical, and physical safeguards designed to protect the confidentiality and integrity of customer records and information. Securities America's failure to meet these requirements across its branch network constituted a violation of its supervisory obligations under FINRA rules.Investors can draw several important lessons from this case. The protection of personal data is a fundamental obligation of financial firms, not a discretionary practice. Customers should proactively inquire about the cybersecurity measures their broker-dealer employs, including whether multi-factor authentication is mandatory and whether sensitive communications are encrypted. Investors should also regularly review their account statements for any unauthorized transactions and promptly report suspicious activity. In an increasingly digital financial landscape, robust cybersecurity practices are essential to maintaining trust between investors and the firms that serve them. (FINRA Case #2021071722201)