Thursday, September 11, 2008
The SEC instituted an enforcement action against LPL Financial Corporation for failing to adopt policies and procedures to safeguard their customers' personal information, leaving at least 10,000 customers vulnerable to identity theft following a series of hacking incidents involving LPL's online trading platform. Under the Safeguards Rule of Regulation S-P of the federal securities laws, broker-dealers and SEC-registered investment advisers like LPL are required to adopt policies and procedures reasonably designed to safeguard customer information. The firm agreed to pay a $275,000 penalty to settle the SEC's enforcement action without admitting or denying the findings.
The SEC's administrative order against LPL finds that the firm conducted an internal audit in mid-2006 that identified inadequate security controls to safeguard customer information at its branch offices. LPL's audit specifically identified the risk from hacking. The SEC's order finds that LPL failed to take timely corrective action because, by the time that hacking incidents began in July 2007, the firm had not implemented increased security measures in response to the identified weaknesses. According to the SEC's order, LPL experienced multiple hacking incidents between July 2007 and early 2008, and unauthorized persons gained access to the online trading platform LPL provided for its registered representatives. Once logged onto LPL's trading platform, the perpetrators placed or attempted to place 209 unauthorized securities trades worth more than $700,000 combined in 68 customer accounts.