Two things struck me about FINRA's $650,000 fine of Lincoln Financial this week: that Lincoln was charged with a failure to have written policies rather than an underlying cybersecurity violation, and that Lincoln was expected to ensure cybersecurity compliance through multiple layers of third-parties.
By way of background, Lincoln operates through a network of representatives. Those representatives have at least some autonomy in setting up and operating IT systems—enough autonomy that they would select firewalls for themselves, to give one example. Of course, representatives don't necessarily have IT experience, so they may hire third-party vendors to help them. Meanwhile, Lincoln does some things centrally—like keep information in the cloud through a third-party vendor.
Two things (allegedly) went wrong at Lincoln Financial. First, they didn't adequately supervise their cloud vendor, and as a result, foreign hackers managed to break in. Second, Lincoln didn't really help its representatives on the cybersecurity front. Although it had a written policy requiring representatives to have firewalls, for example, it didn't specify what kinds of firewalls were acceptable or how to configure them. Nor did Lincoln adequately require its representatives to supervise the representatives' IT vendors. (Again, this is all as alleged by FINRA.)
So, returning to my two observations:
FINRA's charges are intriguing. It identified two sets of relevant laws: (1) Gramm-Leach-Bliley, which requires financial institutions to have safeguards to protect consumer data, and (2) FINRA/NASD rules requiring entities to have written supervisory policies relating to the securities laws. But it didn't actually contend that Lincoln violated Gramm-Leach-Bliley—it didn't actually lodge a cybersecurity charge. Rather, it contended solely that Lincoln violated its duty to have written supervisory policies to prevent the failings identified above.
The case also highlights the potential complexity of third-party vendor management when it comes to cybersecurity. In this case, Lincoln had a responsibility to oversee its own cloud vendor, and a responsibility to oversee its representatives, and a responsibility to oversee how its representatives supervised their own vendors. In other words, multiple levels of nested supervision.
The outcome further highlights the need for lawyers in cybersecurity compliance. The issue for Lincoln Financial wasn't so much that it got hacked. Rather, Lincoln's principal failing was that it didn't manage its representatives and vendors with adequate written policies and requirements. And that's a job for a lawyer.