Quick Facts
Overview
FINRA fined Rialto Markets LLC $50,000 and issued a censure for violations of Rule 30(a) of Regulation S-P (the Safeguards Rule) under the Securities Exchange Act of 1934, as well as FINRA Rules 3110 and 2010.
The firm failed to implement adequate written supervisory procedures and systems to protect customer records, leading to a cybersecurity breach that exposed nonpublic personal information of over 4,400 customers and facilitated a fraudulent transfer of over $1 million.
Details of the Case
Rialto Markets LLC, a FINRA member firm since May 2017 headquartered in New York, focuses on private placements and employs seven registered representatives. The enforcement action stemmed from FINRA's cycle examination. The firm violated the Safeguards Rule, which requires broker-dealers to adopt written policies and procedures for administrative, technical, and physical safeguards to protect customer records.
These must ensure security and confidentiality, guard against threats, and prevent unauthorised access causing harm. Additionally, FINRA Rule 3110 mandates a supervisory system and written procedures to achieve compliance with securities laws. Violations of these also breach FINRA Rule 2010, requiring high standards of commercial honor.
From November 2021 to June 2022, despite prior FINRA advice to address cybersecurity risks, the firm's written supervisory procedures (WSPs) lacked data loss prevention controls. This allowed an unauthorised user to access an employee's email account, exposing sensitive customer data and enabling fraud. The firm detected the breach only after the fraudulent transfer.
Post-breach, Rialto enhanced controls, notified affected parties, and offered free credit monitoring. Government authorities recovered some funds, and the escrow agent covered the rest.
WORKED EXAMPLES
Ignoring Prior FINRA Advice on Cybersecurity
Despite previous guidance from FINRA to establish WSPs and systems to mitigate cybersecurity risks, the firm did not update its procedures accordingly, leading to ongoing vulnerabilities throughout the relevant period.
- Date: Pre-dating November 2021, with failures persisting from November 2021 to June 2022.
- Quote: "Although FINRA had previously advised the firm to establish WSPs and systems to address and mitigate cybersecurity risks, the firm’s WSPs failed to address, and the firm failed to implement, data loss prevention controls."
- Impact: This oversight directly contributed to the lack of basic safeguards, enabling a prolonged breach that exposed customer data and resulted in financial fraud; it highlighted a systemic failure in responding to regulatory recommendations.
Lack of Multi-Factor Authentication
The firm's WSPs did not mandate multi-factor authentication (an additional verification step beyond passwords) for all email accounts, a critical control to prevent unauthorised entry.
- Date: Failures in place from at least November 2021 to June 2022.
- Quote: "the firm’s WSPs failed to address... multi-factor authentication for all email accounts."
- Impact: Facilitated initial unauthorised access in November 2021, allowing the intruder to maintain control for over three months; this led to the exposure of sensitive data for over 4,400 customers, including Social Security numbers, and enabled subsequent fraudulent activities.
Absence of Email Access and Audit Logs
No systems were implemented to log and monitor email access events, such as login attempts or modifications, which could have created an audit trail for detecting anomalies like access from unfamiliar locations.
- Date: Throughout the period from November 2021 to June 2022.
- Quote: "Email access logs are records of events that provide an audit trail that can be used to monitor activity within the email account, identify policy violations, pinpoint fraudulent or unusual activity, and highlight security incidents."
- Impact: Prevented early identification of suspicious activity, such as anonymous IP address use; as a result, the unauthorised user went undetected until after orchestrating a $1 million+ fraudulent transfer in February 2022.
No Alerts for Suspicious Activities or Email Forwarding Rules
The firm lacked automated alerts for red flags, including unusual IP addresses or unauthorised email forwarding, which could have flagged potential breaches in real-time.
- Date: Failures ongoing from November 2021 to June 2022.
- Quote: "alerts for suspicious activities such as anonymous IP address use, or email forwarding rules."
- Impact: Allowed the intruder to set up forwarding or other manipulations without detection; this contributed to the three-month access period and the successful fraudulent transfer of over $1 million from the escrow agent during a private offering in February 2022, with partial recovery by authorities.
UnauthoriSed Data Exposure and Fraudulent Transfer
An unauthorised user accessed an employee's business email in November 2021, exposing nonpublic personal information and later using it to direct a fraudulent fund transfer.
- Date: Initial access in November 2021; fraudulent transfer in February 2022; undetected until after the transfer, with issues spanning to June 2022.
- Quote: "an unauthorised user gained access to a firm employee’s business email account and had unrestricted access to the nonpublic personal information of over 4,400 firm customers (including Social Security numbers, driver license numbers, and home addresses) for over three months... the unauthorised user used their access to the employee’s email account to facilitate the fraudulent transfer of over $1 million."
- Impact: Exposed data for 4,400+ customers risked substantial harm or inconvenience; the fraud involved transferring funds from the escrow to a controlled account, with government recovery of some amount and the escrow agent reimbursing the rest to make the offeror whole; the firm only detected the breach post-transfer.
Fines and Penalties
Key Quotes
"From at least November 2021 to June 2022, Rialto Markets failed to establish and maintain a supervisory system, including written supervisory procedures (WSPs), reasonably designed to safeguard customer records and information in violation of Rule 30(a) of Regulation S-P... and FINRA Rules 3110 and 2010."
"Although FINRA had previously advised the firm to establish WSPs and systems to address and mitigate cybersecurity risks, the firm’s WSPs failed to address, and the firm failed to implement, data loss prevention controls such as multi-factor authentication for all email accounts, email access and other audit logs, alerts for suspicious activities such as anonymous IP address use, or email forwarding rules."
"In November 2021, an unauthorised user gained access to a firm employee’s business email account and had unrestricted access to the nonpublic personal information of over 4,400 firm customers... for over three months."
Sources
