SEC Brings Enforcement Action Against Broker-Dealer For Deficient Cybersecurity Procedures
On September 26, 2018, the United States Securities and Exchange Commission (“SEC”) announced a $1 million settlement with an Iowa-based broker-dealer over allegations that it maintained deficient cybersecurity policies and procedures, which resulted in a 2016 cyber intrusion, in violation of Regulation S-P and Regulation S-ID. See Press Release, SEC Charges Firm With Deficient Cybersecurity Procedures, No. 2018-213 (Sept. 26, 2018); In the Matter of Voya Financial Advisors, Inc., Admin. Proc. No. 3-18840 (Sept. 26, 2018).
Under Rule 30(a) of Regulation S-P, the Safeguards Rule, broker-dealers must adopt written policies and procedures that are reasonably designed to ensure the security of customer records, and to protect against unauthorized access and other anticipated threats to the security and integrity of those records. See 17 C.F.R. § 248.30(a). Rule 201 of Regulation S-ID, the Identity Theft Red Flags Rule, requires broker-dealers to implement written identity theft prevention programs to detect, prevent, and mitigate identity theft in connection certain covered accounts, including customers’ accounts.
According to the SEC, in April 2016, cyber intruders impersonated the broker-dealer’s contractors by calling its support line and requesting password resets. The intruders allegedly were able to obtain new passwords, and used these passwords to gain access to the personal information of approximately 5,600 customers, including customers’ addresses, dates of birth, and email addresses. For a subset of approximately 2,000 customers, the intruders also allegedly were able to view full social security numbers or other government-issued identification numbers. The SEC contends that with this information, the intruders created new online customer profiles and obtained access to customers’ account documents.
The SEC alleged that, prior to the intrusion, the broker-dealer did not maintain policies and procedures that were reasonably designed for the systems to which they applied, even though the broker-dealer had previously suffered a separate intrusion of a similar character. The SEC identified multiple cybersecurity deficiencies, including that the broker-dealer did not require call center operators to consult a “monitoring list” of phone numbers associated with fraudulent activity when providing password resets, did not have procedures in place to terminate the intruders’ access, and did not provide customers with notice when internal profiles for those customers were created, or when customers’ contact and document delivery preferences were edited.
The SEC noted, however, that the broker-dealer promptly undertook remedial acts after the April 2016 intrusion, including blocking malicious IP addresses, prohibiting the provision of passwords by telephone, and issuing breach notices to affected customers with one year of free credit monitoring. But this was not a sufficient basis to avoid an enforcement action.
As the first enforcement action brought for a violation of the Identity Theft Red Flag Rule of Regulation S-ID, the matter provides important guidance to broker-dealers. Indeed, going forward, broker-dealers should consider the specific policies and procedures identified as missing by the SEC to be virtually mandatory.