10/4/18 - Promontory Currents: Financial Services Company Settles with SEC in First-of-Its-kind Identity-Theft Action
Home > News & Insights > Insights & Publications

10/4/18 - Promontory Currents: Financial Services Company Settles with SEC in First-of-Its-kind Identity-Theft Action

By Conway Dodge, Dr. Phyllis Schneck, and Chris Seigle

Last week, a large financial services firm agreed to a $1 million settlement with the Securities and Exchange Commission relating to cybersecurity breaches.

The case represents the first time that the SEC has brought charges in accordance with Rule 201 of Regulation S-ID, also known as the identity-theft red-flags rule, which requires certain regulated entities to develop and implement a prevention program to detect and respond to identity theft. The SEC also charged the firm with violations of Rule 30(a) of Regulation S-P, known as the safeguards rule, which requires firms to adopt policies and procedures that address administrative, technical, and physical safeguards for protecting customer records and information.

The firm, a dually registered broker-dealer and investment adviser, provides its contractor representatives with access to customer information, including personally identifiable information (PII), via a proprietary web portal that is serviced and maintained by its parent company. The parent company’s staff also operates call centers to provide the firm’s customers and representatives with technical support.

According to the SEC order, in April 2016, one or more individuals impersonating the firm’s contract representatives contacted call-center support staff and successfully obtained password resets for three representative profiles, in each case receiving a temporary password over the phone and in two cases obtaining the representatives’ usernames. As a result, the intruders gained access to PII for thousands of the firm’s customers, including, in many cases, their Social Security numbers. Moreover, the intruders gained access to a platform used by the firm’s representatives and employees to manage customer accounts, which gave them the ability to initiate distribution requests and execute trades (although it does not appear that any fraudulent transfers occurred). Although the firm detected the breach on the first day of the intrusion — when a contract representative received an email notification regarding a password change — it was unable to prevent two subsequent intrusions over the next few days.

The SEC cited a number of shortcomings in the firm’s cybersecurity and identify-theft control frameworks that prevented the firm from adequately responding to the breaches, including:

  • Systems that permitted concurrent sessions of the firm’s proprietary web portal and did not automatically end a session after a period of inactivity (despite policies and procedures to prevent such occurrences), as well as a failure to automatically terminate the intruders’ sessions once the breach was discovered and the passwords were reset
  • A resetting of security questions after the intruders requested a password change, rendering multi-factor authentication ineffective
  • Employees who provided temporary passwords over the phone rather than secure email, as well as policies and procedures that did not prohibit employees from providing usernames over the phone
  • Written policies and procedures that did not require employees fielding requests for password resets to consult the firm’s list of phone numbers associated with fraud (earlier breaches had been attempted from the same phone numbers used in the most recent breach)
  • Incident-response staff who were not adequately trained on how to operate the firm’s systems

Perhaps most importantly, the SEC noted that the firm did not substantively update its identity-theft prevention program since its adoption in 2009, despite significant increases in cyberrisks. 

These breaches were not the result of sophisticated cyberactions. Rather, the SEC order indicates that they occurred because of failures in processes and employee training, and because the firm did not adhere to industry best practices. As cyberthreats ranging from information theft to the physical destruction of computers and data (or worse) continue to increase, adversaries will gravitate toward easy targets — i.e., organizations that fail to implement sound cybersecurity processes and best practices.

The SEC action is an important reminder to SEC-regulated entities that cyberintruders pose a continuing and evolving threat, and that regulators are serious about protecting consumers. Firms must take measures to ensure that policies, procedures, and controls keep pace with the risks posed by those seeking to do harm to their customers and employees. This entails not only updating written policies and procedures, but also conducting rigorous testing and providing ongoing training to relevant staff.

Of course, cybersecurity is not limited to technology — it also involves enabling and protecting the business through risk mitigation, early detection, and resilience. Firms must bolster their risk-assessment capabilities and employee-training programs, and they must implement sound processes and procedures to keep their customers’ information safe.

Authors

Conway Dodge is a managing director in Promontory’s Washington office, Dr. Phyllis Schneck is a managing director and global leader of cyber solutions in Promontory’s Washington office, and Chris Seigle is a principal in Promontory’s Washington office.