FINRA Fines Rialto Markets $50,000 for Cybersecurity and Supervisory Failures

Rialto Markets LLC, a FINRA-registered broker-dealer headquartered in New York, has agreed to pay a $50,000 fine and accept a censure in a settlement with the Financial Industry Regulatory Authority (FINRA) over serious deficiencies in safeguarding customer information.

Lapses in Cybersecurity and Supervision

According to FINRA, from November 2021 to June 2022, Rialto Markets failed to establish and maintain a supervisory system, including written supervisory procedures (WSPs), that were reasonably designed to protect sensitive customer records and information. This lack of adequate cybersecurity measures left the firm—and its clients—vulnerable to a major breach.

Despite being previously advised by FINRA to strengthen its cybersecurity posture.

The Cybersecurity Breach

In November 2021, a cyber intruder gained unauthorized access to a Rialto employees business email account, maintaining undetected access for more than three months. During this time, the unauthorized user had access to the nonpublic personal information (NPI) of over 4,400 customers.

In February 2022, while the firm was conducting a private offering, the hacker used the compromised email account to initiate the fraudulent transfer of over $1 million from the firm‘s escrow agent to a bank account under the attacker’s control. The breach was only uncovered after the unauthorized transfer was detected.

While government authorities were able to recover part of the stolen funds, the firms escrow agent had to cover the remaining losses to make investors whole.

Regulatory Violations

FINRA concluded that Rialto Markets violated the Safeguards Rule, as well as FINRA Rules 3110 (Supervision) and 2010 (Standards of Commercial Honor and Principles of Trade). The firm consented to the findings without admitting or denying the allegations.

About Rialto Markets

Rialto Markets has been a FINRA member since May 2017. The firm primarily operates in the space of private placement offerings and capital formation for startups and emerging companies.

Conclusion

This enforcement action underscores the increasing regulatory scrutiny around cybersecurity and the need for all financial firms, especially those handling sensitive client data, to implement robust, up-to-date systems and procedures to protect investors and prevent fraud.