LPL Financial is paying the price today for failing to safeguard its customers’ personal information.
The firm was slapped with a $275,000 penalty issued by the SEC. The Commission says LPL failed to adopt policies and procedures reasonably designed to safeguard customer information—and it may have a point.
According to an internal audit in mid-2006, LPL identified hacking as a potential risk to the security of client information. Surely enough, the firm was victim to “multiple hacking incidents” between July 2007 and early 2008 when an unauthorized person gained access to the firm’s online trading platform. The hacker placed, or attempted to place, 209 unauthorized securities trades in 68 customer accounts worth more than $700,000 combined.
"Regulated entities should make it a priority to protect their customers' private information. LPL disregarded this crucial responsibility even in the face of known security deficiencies, and information of at least 10,000 customers may have been exposed as a result,” says Rosalind Tyson, regional director of the SEC's Los Angeles Regional Office.
In addition to the fine, the SEC ordered LPL to cease and desist from committing future violations of the Safeguards Rule. The firm also agreed to undertake certain remedial actions including retaining an independent consultant to review LPL's policies and procedures required by the Safeguards Rule. The firm will pay the fine, and agreed to the SEC’s order without admitting or denying the Commission’s findings.
“LPL Financial and its family of affiliated companies are committed to protecting the information entrusted to us by investors. Last year a very small number of our advisors and their clients were affected by Internet ID breaches. These incidents were not related to any company wide breach of the LPL Financial firewalls but rather resulted from the theft of legitimate usernames and passwords. Fortunately, we identified the intrusion early on, and not a single client lost money. We are putting in place new technology initiatives and industry best practice standards designed to ensure—to the extent we reasonably can—that this will never happen again,” the firm said in a statement.