According to FINRA, Rialto Markets LLC was censured and fined $50,000 for failing to establish and maintain a supervisory system, including written supervisory procedures, reasonably designed to safeguard customer records and information in violation of Regulation S-P.
The findings revealed serious cybersecurity deficiencies despite prior FINRA guidance. FINRA had previously advised the firm to establish procedures and systems to address and mitigate cybersecurity risks. However, the firm's procedures failed to address, and the firm failed to implement, critical data loss prevention controls including multi-factor authentication for all email accounts, email access and other audit logs, alerts for suspicious activities, and email forwarding rules.
The consequences of these failures were severe. An unauthorized user gained access to a firm employee's business email account and had unrestricted access to the nonpublic personal information of over 4,400 firm customers, including Social Security numbers, driver's license numbers, and home addresses. While the firm was engaged in a private offering, the unauthorized user exploited this access to facilitate the fraudulent transfer of over $1 million from the firm's escrow agent to a bank account controlled by the unauthorized user.
The firm did not detect or prevent the unauthorized access until after the fraudulent transfer was discovered. Government authorities recovered some of the transferred funds, and the firm's escrow agent made the offeror whole by providing the remaining funds.
Upon discovering the breach, the firm enhanced its cybersecurity controls and procedures. The firm also quickly identified affected customers, notified them and regulatory authorities, and offered free credit monitoring.
This case serves as a stark reminder of the importance of cybersecurity in the financial services industry. Investors should be aware that their personal information is entrusted to financial firms and should inquire about the security measures firms have in place to protect that information.
