companies held accountable for email account takeovers and flawed cybersecurity procedures | before
On August 30, 2021, the SEC announced the resolution of enforcement actions against three companies and their affiliates. The enforcement actions were triggered by companies’ breaches of compliance with their cybersecurity policies and procedures, which resulted in email account takeovers that exposed the personal information of thousands of customers and customers.
When there is an email account takeover, an unauthorized third party accesses the account and can view its contents. In addition, an unauthorized third party can perform the same actions as a legitimate user, such as sending and deleting emails or setting up forwarding rules.
In all three of these enforcement actions, the SEC alleged that each of the companies violated Rule 30 (a) of the SP Regulation, also known as the Safeguard Rule. The rule is designed to protect confidential customer information and records. All parties to these enforcement actions are brokers, registered investment advisers (“RIAs”), or both. All the companies agreed to settle the charges against them.
The Safeguard Rule requires every investment advisor and broker registered with the SEC to adopt written policies and procedures that are reasonably designed to:
- ensure the security and confidentiality of customer records and information;
- protect against any anticipated threat or danger to the integrity or security of customer records and information; and
- protect against unauthorized access or use of customer records or information which could cause material harm or inconvenience to any of them.
An RIA or a broker violates the safeguard rule if its policies and procedures intended to protect clients and client information are not reasonably designed to achieve those objectives. Policies and procedures should also be reasonably designed to prevent and respond to cybersecurity incidents.
Without admitting or denying the SEC’s findings, each company has agreed to cease and desist from any future violations of the offending provisions. They also agreed to be censored and pay a fine. The SEC press release regarding the enforcement actions can be viewed here.
Coercive measure n ° 1
The first implementing measure concerned the five entities of a financial services company. Three of these entities were doubly registered. The other two entities were a broker and a RIA.
According to the SEC order against the first company, the cloud-based email accounts of more than sixty company staff were taken over by unauthorized third parties, resulting in the disclosure of information personally identifiable (“PII”) of at least 4,388 customers and clients. . The term “display of personal information” means that an unauthorized third party has the opportunity to view the information. The information is deemed exposed, even if it has not been viewed by an unauthorized third party.
Accounts have been taken over by phishing, credential stuffing, or other attack methods. While email account takeovers do not appear to have resulted in unauthorized transactions or transfers to advisory or brokerage accounts, the entities violated the safeguard rule because their policies and procedures were not reasonably designed to ensure compliance. Specifically, these policies and procedures were deficient with respect to representatives of independent contractors and foreign contractors.
This particular enforcement action alleged that the entities had failed to implement cybersecurity policies and tools, such as multi-factor authentication. The entities had a significant number of security tools that would have enabled them to put in place controls to mitigate risks. Entities have not used these tools in a manner appropriate to their business, thereby exposing the personal information of their clients and clients to unreasonable risk.
In addition to their violations of the safeguard rules, the RIAs involved in this enforcement action were charged with violating section 206 (4) of the Investment Advisers Act of 1940 and rule 206 (4) -7 which in consequence result. The SEC alleged that RIA did not adopt and implement reasonably designed policies and procedures governing the review of communications to advisers. This failure led RIAs to send corporate customers breach notifications containing deceptive template language.
RIA had engaged external legal advisers to prepare and deliver the notifications to clients. The SEC found that while most of the breach notifications from outside attorneys are accurate, the letters sent in 2018 and 2019 to around 220 advice clients were misleading. The letters included a sample language regarding the timing of the incidents and called them “recent”. The letters also stated that representatives were not notified of the unauthorized access until two months before the notification of the breach. In fact, each entity had been aware of the underlying violation at least six months earlier. This language in the breach notifications created a misleading impression that the incidents had occurred much more recently than they actually were. Because customers and clients received late notification of when the breach occurred, they weren’t on the lookout for possible misuse of their personal information.
When the letters were sent, RIA’s policies and procedures for responding to cybersecurity events required advisory staff to review customer communications regarding those incidents before they were sent. The SEC concluded that the advisers failed to implement reasonably designed policies and procedures because their review of client communications was conducted in a manner that did not correct the language of the model which was misleading in the circumstances. .
As a result of these breaches of compliance, the SEC imposed a civil fine of $ 300,000 on the company’s entities. The execution action can be found here.
Coercive measure # 2
The SEC’s second enforcement action resulted from the failure of a broker and the RIA to adopt written policies and procedures that were reasonably designed to protect client and client records and information. The SEC alleged that the Iowa-based broker and the RIA violated the backup rule. According to the SEC order, the broker’s and RIA’s breaches of the backup rule allowed the cloud-based email accounts of more than 121 company representatives to be taken over by unauthorized third parties, which who exposed the personal information of at least 2,177 clients and clients. . The SEC has determined that although the initial takeover of the email account was discovered in January 2018, the broker and the RIA failed to adopt and implement enhanced security measures across the board. for representatives’ cloud-based email accounts until 2021. This failure has resulted in the potential exposure of additional customer and customer records and information.
As was the case with the first enforcement action, the AIR and the broker did not use multi-factor authentication as a security measure. Additionally, they have compounded their mistakes by failing to take swift action to guard against future intrusions and misuse of personal information.
The RIA and the broker agreed to pay a fine of $ 250,000. The execution measure is available here.
Coercive measure n ° 3
According to the SEC order against a doubly registered Seattle-based investment brokerage and advisory firm, the cloud-based email accounts of fifteen financial advisers or their assistants have been taken over by unauthorized third parties. The takeover of the email account resulted in exposure to personal information of approximately 4,900 customers and clients.
When the email account takeovers were discovered, the company reset the email passwords of the affected financial advisers, removed forwarding rules, and enabled multi-factor authentication. However, additional company-wide security measures were not implemented until August 2020, approximately 21 months after the breach was discovered. By not implementing additional security measures in a timely manner, the company has further exposed customer and customer information and records.
These takeovers of email accounts exposed personal information that falls within the scope of the SP regulation. Some customers and clients have received phishing emails asking them to:
- Transfer funds to a bank account;
- Enter personal information, such as a driver’s license number or social security number, to access a document; Where
- Click a link to view an investment recommendation, which would provide access to clients ‘and clients’ computers.
The company was ordered to pay a fine of $ 200,000. The action can be reviewed here.
Businesses must design and fully implement robust cybersecurity policies and procedures to protect customer and customer information, records and privacy. Businesses can help guard against cyber attacks by requiring cybersecurity tools, such as multi-factor authentication, for all customers and accounts receivable. As Kristina Littman, head of the Cyber Unit of the SEC’s Enforcement Division, warned, “It is not enough to write a policy requiring enhanced security measures if those requirements are not enforced. implemented or are only partially implemented, in particular in the face of known attacks. “
When a breach occurs, brokers and RIAs should notify their clients and clients promptly and should not minimize the severity of the incident. In doing so, customers and customers can guard against the risk of potential misuse of their personal information. Policies and procedures should specify how this notification will occur. In addition, policies and procedures should be designed to ensure compliance with the SP Regulation and to strengthen the duty of businesses to maintain customer privacy.