With the recent focus by the SEC and FINRA on cybersecurity for broker-dealers and investment advisers as a backdrop, FINRA recently brought and settled an enforcement action under SEC Regulation S-P against broker-dealer Sterne, Agee & Leach, Inc. The case arose from a May 2014 incident in which a Sterne information technology employee inadvertently left an unencrypted laptop in a restroom and it was lost. The laptop is believed to have contained account numbers, names, addresses, and in some cases tax identification numbers for over 352,000 clients. FINRA’s Acceptance, Waiver and Consent charging and settlement document (“AWC”), and comments by senior FINRA executives last week at FINRA’s annual conference, demonstrate that FINRA’s focus was the failure of Sterne’s supervisory system, not the actions of the individual employee.
Rule 30 of Reg S-P provides that every broker and dealer “must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.”
In the May 22, 2015, AWC, FINRA found that Sterne violated Reg S-P as well as FINRA’s supervision rule, Rule 3010, based on Sterne’s failure to establish a system that required and provided for the protection of customer data using “appropriate technological precautions.” FINRA found that this failure persisted from 2009 until June 2014, after the laptop was lost. FINRA noted that Sterne recognized in March 2009 the need to encrypt laptops, but failed to adopt policies requiring encryption, and failed to provide adequate funding to enable the encryption. (Facts not mentioned in the AWC: according to a June 2014 Sterne letter to clients, the laptop was password protected; and Sterne offered affected clients free identity theft protection services.)
The AWC cited FINRA Notice to Members 05-49 (“Safeguarding Confidential Customer Information”) as providing that the factors FINRA will look to in evaluating the adequacy of a firm’s system for protecting customer data include “whether the member’s existing policies and procedures adequately address the technology currently in use” (in this case, FINRA found that Sterne’s written supervisory procedures, or WSPs, did not adequately address laptops) and “whether the member had taken appropriate technical precautions to protect customer information” (in this case, FINRA found that Sterne’s WSPs failed to ensure safeguarding of customer data by appropriate technology, such as encryption).
Under the settlement, Sterne was fined $225,000. Sterne is also required to conduct an internal review of its policies, systems, procedures, and training, after which it must certify to FINRA that it has in place adequate WSPs.
Speaking at the “Ask FINRA Senior Staff” session of FINRA’s annual conference last Friday, two senior executives explained that, in FINRA’s view, the case was not about FINRA disciplining a firm for an isolated, inadvertent mistake. EVP and Head of Enforcement J. Bradley Bennett said there are plenty of cases that FINRA doesn’t bring involving isolated instances “where things just happen.” EVP and Head of Member Regulation-Sales Practice Michael Rufino said that the Sterne case involved not an isolated incident but a systemic breakdown, in which the firm was aware of the issue and chose not to act until later.
Two takeaways from the Sterne AWC: It was in 2005 that FINRA, in NTM 05-49, noted the “increased use of laptops and wireless email devices” and stressed the importance of “appropriate safeguards, for example encryption.” It appears clear that, 10 years later, FINRA – like other regulators – sees encryption of laptops as no longer merely an option, but rather a minimum requirement for the protection of sensitive customer data.
Second, the Sterne AWC does not appear to signal a move on FINRA’s part toward “gotcha” enforcement in the cybersecurity area. Rather, what FINRA requires is that firms adopt reasonable supervisory systems and procedures, and that they implement these systems and procedures with reasonable diligence. Sterne, having identified encryption as a need, but having left that need unaddressed for five years, was hard-pressed to defend its data protection procedures and practices.
For guidance on dealing with post-breach inquiries by regulators across a span of industries, see: “A Deeper Dive: Regulatory Investigations Following a Reported Breach.”