Home » information security

Category: information security

Chief Compliance Officer Stole Employee Information to Bid at Auctions

FINRA barred a Chief Compliance Officer for using his access to confidential employee records to create false online bidding accounts at auction houses. The respondent, who also served as the firm’s president, used his access as CCO to obtain employees’ driver’s license and passport information to impersonate those employees so that he could bid and acquire auction items. The auction houses had previously banned him because he successfully bid on items and did not pay for them.

The Chief Compliance Officer has extraordinary (and in some cases, unwarranted) access to employee records in addition to other confidential information such as executive meetings and emails. Firms should pursue enhanced background due diligence on potential CCO candidates, create information barriers so that the CCO does not have access to non-regulatory information, and implement a supervisory structure that ensures CCO accountability. Alternatively, consider outsourcing to a third-party firm that has limited access to firm systems as well as direct legal liability for breaches of confidentiality.

SEC Alerts RIAs/BDs to Cloud Provider Monitoring Obligations

The SEC’s Office of Compliance Inspections and Examinations (OCIE) has issued a Risk Alert warning firms to monitor and supervise third-party cloud providers that house their regulatory data. OCIE has observed many firms failing to properly configure security settings and thereby neglect to utilize available security services such as encryption and password protection. OCIE has also seen weak oversight of third-party cloud providers including failures to assess information security and utilization of available security features. OCIE would like to see significant policies and procedures addressing the installation, maintenance and review of network storage solutions as well as robust vendor management policies that require the regular implementation of software patches and hardware updates.

Firms can (and probably should) outsource their network and data storage to qualified vendors, but they cannot abdicate their responsibilities to ensure the data is protected from unauthorized intrusion. The compli-pros must work with the IT folks to assess the cloud provider’s ongoing compliance.

SEC Warns About Failures to Protect Personal Information

The SEC’s Office of Compliance Inspections and Examinations has published a Risk Alert calling out advisers and broker-dealers for their failures to protect personal information.  Based on deficiencies identified over the last 2 years, the SEC found failures related to privacy notices, policies and procedures, and physical safeguards.  The SEC faulted registrants for failing to deliver initial and annual privacy notices or for delivering notices that did not accurately reflect policies and procedures.  The SEC found firms that completely failed to adopt policies and procedures by simply restating the Safeguards Rule.  Other firms either adopted weak policies and procedures or failed to properly implement them.  Some common deficiencies included unsecure laptops, unencrypted emails, inadequate training, insufficient control of third-party vendors, inadequate incident response plans, and shared login credentials.  OCIE states that the Risk Alert is intended “to assist advisers and broker-dealers in providing compliant privacy and opt-out notices, and in adopting and implementing effective policies and procedures for safeguarding customer records and information.” 

Compli-pros should ensure the annual testing program includes the privacy notice process and the implementation of policies and procedures to avoid the highlighted issues.  It may make sense to combine the testing with the required cybersecurity assessment. 

Hackers Impersonated Reps to Gain Access to Client Info

 A large BD/IA agreed to pay a $1 Million fine and retain an independent compliance consultant as a result of a third-party intrusion into its customer system.  Outside hackers impersonated independent consultant registered representatives and tricked internal IT personnel to change passwords over the phone.  Although there was no unauthorized transfer of funds, the impersonators were able to access personally identifiable information of over 5000 customers.  The SEC charges the firm with violating the Safeguards Rule and with failing to implement an effective Identity Theft Prevention Program.  The SEC faults the firm for allowing outside contractors to use their own equipment, which often had security and encryption problems, and with failures to follow remote session termination procedures.

OUR TAKE:  This is the nightmare scenario for retail BD/IAs.  The desire to make life easier for the producing reps creates IT vulnerabilities exploited by bad actors.  Our recommendation is to retain an outside firm that can conduct an honest vulnerability assessment.

Broker-Dealer Ignored Information Barriers for Issuer Share Repurchases

 The SEC fined a broker-dealer $1.25 Million for failing to respect required information barriers, thereby allowing the sharing of material nonpublic share buyback information with customers.  The SEC alleges that the trading desk that executed issuer share repurchase trades shared order data with another desk that disclosed the information to customers.  The head traders of the two desks shared trading intelligence including access to the order management system.  The SEC maintains that the information was material to an investment decision because third party customers could use the trade orders as indications of the financial health of the underlying issuer.   The SEC charges the firm with violating its own policies on information barriers.

OUR TAKE: It appears that the firm failed to implement a monitoring system to ensure that the trading desks observed information barriers.  How firms ensure the protection of material nonpublic information should be part of the annual testing program.

 

FINRA Fines 12 Firms $14.4 Million for Failing to Maintain Data in Proper Electronic Format

data-protection

FINRA fined 12 firms a total of $14.4 Million (including individual fines of $4 Million, $3.5 Million and $2 Million) for failing to retain electronic records in the proper format.  FINRA charges that, over extended time periods, the firms failed to maintain required broker-dealer and customer records in “write once, read many” (aka WORM) format as required by Rule 17a-4(f)(2)(ii)(a) (BD records must be preserved “exclusively in a non-rewriteable, non-erasable format”).  FINRA asserts that retaining records in WORM format protects such records from cyber-crimes.  FINRA maintains that the failures affected hundreds of millions of records “spanning multiple systems and categories.”  FINRA’s Enforcement Chief empasized “FINRA’s focus on ensuring that firms maintain accurate, complete and adequately protected electronic records.”

OUR TAKE: These are significant fines for IT breakdowns in the absence of further allegations of customer harm or a specific hacking incident.  Operations professionals should work with their IT teams and compli-pros to ensure that records retention follows regulatory requirements.

http://www.finra.org/newsroom/2016/finra-fines-12-firms-total-144-million-failing-protect-records-alteration

BD Fined for Hack of Third Party Cloud Provider

information-security

A broker-dealer agreed to pay a $650,000 fine because an OSJ’s cloud server vendor  failed to protect customer information.  FINRA asserts that foreign hackers penetrated the cloud-based servers and had access to customers’ nonpublic personal information.  FINRA faults the firm for failing to monitor or test the third party vendor’s information security.  FINRA also alleges that the BD failed to adopt reasonable data security policies that included specific firewall policies and related testing.  FINRA cites violations of Rule 30 of Regulation S-P, which requires the protection of customer records and information.

OUR TAKE: Firms must go the extra mile to protect customer information and not just rely on hiring a third party.  FINRA will hold BDs strictly liable for data breaches, even those occurring at the vendor.