FINRA FINES BOLTON CAPITAL; CUSTOMER RECORDS EXPOSED IN A DATA BREACH

November 3, 2023

November 3, 2023 – The Financial Regulatory Authority fined Bolton Global Capital (CRD #15650, Bolton, Massachusetts) $75,000, in part, for exposing customer records in a data breach. Bolton Global Capital entered into a settlement agreement, called a Letter of Acceptance Waiver and Consent, in which FINRA found in part that “From October 2020 to October 2021, Bolton failed to establish and maintain a
supervisory system reasonably designed to safeguard customer records and information
in violation of Rule 30(a) of Regulation S-P of the Securities Exchange Act of 1934 (17
C.F.R. § 248.30(a)) (the Safeguards Rule) and FINRA Rule 2010.”

A Letter of Acceptance, Waiver and Consent (AWC) was issued in which the firm was censured and fined $75,000. Without admitting or denying the findings, the firm consented to the sanctions and to the entry of findings that it failed to establish and maintain a supervisory system reasonably designed to safeguard customer records and information in violation of Rule 30(a) of Regulation S-P of the Securities Exchange Act of 1934 (the Safeguards Rule). The findings stated that the firm was on notice from a prior FINRA examination that, to comply with the Safeguards Rule, it needed stronger cybersecurity practices, including to limit the access of third-party service providers to the firm’s production data and systems, and to ensure that any approved third-party service provider’s access to the firm’s production environment was logged and monitored. Following that examination, the firm enhanced its cybersecurity program. Those enhancements included requiring multi-factor authentication for firm employees. However, the firm did not yet require multi-factor authentication for third-party service providers, at least one of whom continued to have administrative access to the firm’s systems and data. The firm also did not implement a system for monitoring all third-party access to firm systems. In addition, an unauthorized third-party gained access to the firm’s network and data, exposing records and non-public personal information of firm customers. This unauthorized access resulted from the unauthorized third-party gaining access through a device used by a third-party service provider who had administrative access to the firm’s data and systems, but for whom the firm did not require multi-factor authentication. The firm followed its cybersecurity incident response policies and self-reported the incident to FINRA shortly after discovering it. The firm also engaged outside expert cybersecurity consultants to assist with its incident response, and the firm notified affected customers of the incident. The firm took additional steps, including making investments to identify and remediate existing or potential vulnerabilities in its cybersecurity program, requiring multi-factor authentication for third-party service providers and implementing endpoint detection and response and security operations center monitoring of all access to firm systems, including third-party. (FINRA Case #2021072622201).

If you were a customer of Bolton Capital between October 2020 to October 2021, you may have a claim for damages. Contact Sonn Law Group PA at 305912000