The SEC issued a cease and desist order and imposed a fine of $275,000 against LPL Financial due to the firm’s failure to implement adequate controls to protect access to customer accounts. Between mid-July 2007 and February 2008, LPL was subject to hacking incidents in which customer accounts were accessed and the perpetrator placed or attempted to place 209 unauthorized trades in 68 customer accounts, in the sum of over $700,000. At that time, the SEC found that LPL had failed to implement increased security measures and adopt policies and procedures reasonably designed to safeguard customer information as required by SEC regulation.
The SEC noted that, among other things,
--LPL did not develop or maintain a complete set of policies and procedures addressing administrative, technical, and physical safeguards reasonably designed to protect customer records and information at its branch offices.
--LPL failed to reasonably evaluate security controls despite its knowledge of a prior data breach incident.
--A prior audit revealed deficiencies concerning users’ password complexity and session inactivity parameters.
The SEC Order In the Matter of LPL Financial Corp. is posted at http://www.sec.gov/litigation/admin/2008/34-58515.pdf