The Financial Industry Regulatory Authority (FINRA) made a bold statement about its commitment to cybersecurity on November 14, 2016. It issued a Resolution Waiver and Consent (“RWC”) indicating a settlement of a proceeding against Lincoln Financial Securities for $650,000. All broker-dealers who use third parties to provide platforms for online trades – which are just about all broker-dealers – should take notice.
The settlement arose from a breach of account information of Lincoln Financial’s subscribers by its cloud services provider including Social Security numbers, brokerage records and certain personal information. No information has surfaced to date that any of the information has been misused.
FINRA found that Lincoln’s agreement with the cloud provider, which did not specify in detail the standards and requirements for the provider to safeguard the subscriber information, and Lincoln’s failures to monitor the provider’s performance, violated Rule 30 of SEC Regulation S-P and FINRA Rules 3001 and 2010, which require covered entities to take appropriate measures to safeguard confidential financial information.
It has been settled regulatory law for some time that a covered entity is responsible for the data that it entrusts with a third party such as a cloud provider. Healthcare regulatory agencies such as the Office for Civil Rights have held organizations responsible when their cloud providers lose data for some time even though the governing regulations, HIPAA, do not explicitly refer to cloud providers or other categories of third parties who access, store or transmit the covered entity’s protected data.
But the Lincoln Financial settlement is the first time that FINRA has waded into these waters with regard to vendors and, in so doing, has made a bold statement that it has moved into the 21st century with regard to cybersecurity enforcement, and that it intends to stay there. Broker-dealers should, therefore, follow contract best practices and insist on security safeguards in agreements with cloud providers. Broker-dealer counsel should also consider indemnification clauses and perhaps a requirement that the cloud provider obtain cyber risk insurance that names the broker-dealer as an additional insured.
These are but the tip of the iceberg, though, in contractual protections for broker-dealers. FINRA has served notice that it considers these contracts an integral aspect of cybersecurity protection, and, that in the event of a breach, it will scrutinize these agreements for the required protections.
If you have questions about agreements between broker dealers and cloud services providers, please contact Kenneth N. Rashbaum.