A large BD/IA agreed to pay a $1 Million fine and retain an independent compliance consultant as a result of a third-party intrusion into its customer system. Outside hackers impersonated independent consultant registered representatives and tricked internal IT personnel to change passwords over the phone. Although there was no unauthorized transfer of funds, the impersonators were able to access personally identifiable information of over 5000 customers. The SEC charges the firm with violating the Safeguards Rule and with failing to implement an effective Identity Theft Prevention Program. The SEC faults the firm for allowing outside contractors to use their own equipment, which often had security and encryption problems, and with failures to follow remote session termination procedures.
OUR TAKE: This is the nightmare scenario for retail BD/IAs. The desire to make life easier for the producing reps creates IT vulnerabilities exploited by bad actors. Our recommendation is to retain an outside firm that can conduct an honest vulnerability assessment.