FINRA fines Bolton Global Capital following cybersecurity incident
Bolton Global Capital has agreed to pay a fine of $75,000 as a part of a settlement with the Financial Industry Regulatory Authority (FINRA).
From October 2020 to October 2021, Bolton failed to establish and maintain a supervisory system reasonably designed to safeguard customer records and information.
On August 12, 2021, an unauthorized third-party gained access to Bolton’s network and data, exposing records and nonpublic personal information for over 6,000 firm customers. This unauthorized access resulted from the unauthorized third-party gaining access through a device used by a third-party service provider who had administrative access to the firm’s data and systems, but for whom Bolton did not require multi-factor authentication.
Bolton followed its cybersecurity incident response policies and self-reported the incident to FINRA shortly after discovering it. Bolton also engaged outside expert cybersecurity consultants to assist with its incident response, and the firm notified affected customers of the incident.
The firm took additional steps, including making investments to identify and remediate existing or potential vulnerabilities in its cybersecurity program, requiring multi-factor authentication for third-party service providers and implementing endpoint detection and response and security operations center monitoring of all access to firm systems, including third-party.
As a result, Bolton violated the Safeguards Rule and FINRA Rule 2010.
In addition to the fine, the firm has agreed to a censure.