Fine Amount: $50,000
Primary Violation: Failure to establish and maintain a supervisory system reasonably designed to safeguard customer records and information
Relevant Period: Nov-21 > Jun-22
Overview
FINRA fined Rialto Markets LLC $50,000 and issued a censure for violations of Rule 30(a) of Regulation S-P (the Safeguards Rule) under the Securities Exchange Act of 1934, as well as FINRA Rules 3110 and 2010.
The firm failed to implement adequate written supervisory procedures and systems to protect customer records, leading to a cybersecurity breach that exposed nonpublic personal information of over 4,400 customers and facilitated a fraudulent transfer of over $1 million.
Rialto Markets LLC, a FINRA member firm since May 2017 headquartered in New York, focuses on private placements and employs seven registered representatives. The enforcement action stemmed from FINRA's cycle examination. The firm violated the Safeguards Rule, which requires broker-dealers to adopt written policies and procedures for administrative, technical, and physical safeguards to protect customer records.
These must ensure security and confidentiality, guard against threats, and prevent unauthorised access causing harm. Additionally, FINRA Rule 3110 mandates a supervisory system and written procedures to achieve compliance with securities laws. Violations of these also breach FINRA Rule 2010, requiring high standards of commercial honor.
From November 2021 to June 2022, despite prior FINRA advice to address cybersecurity risks, the firm's written supervisory procedures (WSPs) lacked data loss prevention controls. This allowed an unauthorised user to access an employee's email account, exposing sensitive customer data and enabling fraud. The firm detected the breach only after the fraudulent transfer.
Post-breach, Rialto enhanced controls, notified affected parties, and offered free credit monitoring. Government authorities recovered some funds, and the escrow agent covered the rest.
Despite previous guidance from FINRA to establish WSPs and systems to mitigate cybersecurity risks, the firm did not update its procedures accordingly, leading to ongoing vulnerabilities throughout the relevant period.
The firm's WSPs did not mandate multi-factor authentication (an additional verification step beyond passwords) for all email accounts, a critical control to prevent unauthorised entry.
No systems were implemented to log and monitor email access events, such as login attempts or modifications, which could have created an audit trail for detecting anomalies like access from unfamiliar locations.
The firm lacked automated alerts for red flags, including unusual IP addresses or unauthorised email forwarding, which could have flagged potential breaches in real-time.
An unauthorised user accessed an employee's business email in November 2021, exposing nonpublic personal information and later using it to direct a fraudulent fund transfer.
The total penalty was $50,000
"From at least November 2021 to June 2022, Rialto Markets failed to establish and maintain a supervisory system, including written supervisory procedures (WSPs), reasonably designed to safeguard customer records and information in violation of Rule 30(a) of Regulation S-P... and FINRA Rules 3110 and 2010."
"Although FINRA had previously advised the firm to establish WSPs and systems to address and mitigate cybersecurity risks, the firm’s WSPs failed to address, and the firm failed to implement, data loss prevention controls such as multi-factor authentication for all email accounts, email access and other audit logs, alerts for suspicious activities such as anonymous IP address use, or email forwarding rules."
"In November 2021, an unauthorised user gained access to a firm employee’s business email account and had unrestricted access to the nonpublic personal information of over 4,400 firm customers... for over three months."