Rialto Markets LLC has agreed to pay a fine of $50,000 as a part of a settlement with the Financial Industry Regulatory Authority (FINRA).

From at least November 2021 to June 2022, the firm failed to establish and maintain a supervisory system, including written supervisory procedures, reasonably designed to safeguard customer records and information.

Although FINRA had previously advised the firm to establish written supervisory procedures (WSPs) and systems to address and mitigate cybersecurity risks, the firm’s WSPs failed to address, and the firm failed to implement, data loss prevention controls such as multi-factor authentication for all email accounts, email access and other audit logs, alerts for suspicious activities such as anonymous IP address use, or email forwarding rules.

In November 2021, an unauthorized user gained access to a firm employee’s business email account and had unrestricted access to the nonpublic personal information of over 4,400 firm customers (including Social Security numbers, driver license numbers, and home addresses) for over three months.

In addition, while the firm was engaged in a private offering, the unauthorized user used their access to the employee’s email account to facilitate the fraudulent transfer of over $1 million from the firm’s escrow agent to a bank account controlled by the unauthorized user in February 2022.

The firm did not detect or prevent the unauthorized user’s access to the email account until after the fraudulent transfer was discovered. Government authorities recovered some of the transferred funds and the firm’s escrow agent made the offeror whole by providing the remaining funds.

Upon discovering the cybersecurity breach, the firm enhanced its cybersecurity controls and procedures, including enabling multi-factor authentication, email access and other audit logs, alerts for suspicious activity, and email forwarding rules for all email accounts.

In addition, the firm quickly identified that the nonpublic personal information of its customers was exposed, notified the affected customers, notified the proper regulatory authorities, and offered the affected customers free credit monitoring.

By failing to establish and maintain a supervisory system, including WSPs, reasonably designed to safeguard customer records and information, the firm violated the Safeguards Rule and FINRA Rules 3110 and 2010.

On top of the $50,000 fine, Rialto Markets consented to the imposition of a censure.

Rialto Markets has been a FINRA member since May 2017. The firm, which is headquartered in New York, New York, has a business focused primarily on the sale of private placements.