On June 8, 2016, the US Securities and Exchange Commission (“SEC”) brought and settled charges against a registered broker-dealer/investment adviser (the “Registrant”) for failure to implement reasonable security policies and procedures in violation of the Gramm-Leach-Bliley Act’s “Safeguards Rule,” which was adopted as part of Regulation S-P. These alleged violations (the Registrant settled without admitting or denying the SEC’s findings) appear to have been self-reported to the SEC by the Registrant following its discovery of two data security incidents—one caused by the criminal misconduct of a registered representative (the “Employee”) and another caused by hackers who targeted the Employee. The incidents involved personally identifiable information (“PII”) and other data associated with approximately 730,000 customer accounts belonging to 330,000 different households.
The SEC brought the proceeding for violations of the Safeguards Rule’s requirement that every broker-dealer or investment adviser registered with the SEC adopt “written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”1 These require that written policies and procedures must be reasonably designed to:
- Ensure the security and confidentiality of customer records and information,
- Protect against any anticipated threats or hazards to the security or integrity of customer records and information, and
- Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.2
Here the SEC concluded that, although the Registrant adopted certain policies and procedures, it failed to ensure the reasonable design and proper operation of its policies and procedures in safeguarding confidential customer data.
As alleged in the order, the Registrant maintained hundreds of computer applications to process PII contained in its customer databases. The Registrant also had adopted policies and restrictions that prohibited its employees from accessing PII other than what they were authorized to access to perform their job responsibilities. Two of the applications, however, permitted the Employee to access any customer’s PII by entering certain number combinations that represented internal business units (other than the Employee’s own unit). The ineffective authorization modules of these two applications remained in place from at least August 2001 until December 2014 and were not audited, tested, or regularly updated during that period. As a result, the Employee allegedly was able to run over 5,000 unauthorized searches between 2011 and 2014 and to download PII associated with 730,000 customer accounts.
The SEC alleged that the Registrant had installed technology controls that prevented the Employee from attaching a remote storage device to his work computer. The Registrant, however, allegedly did not prevent the Employee from establishing a file transfer connection over the Internet between his work computer and his personal server (which was an “uncategorized” website in the Registrant’s website filtering program).3 Through the file transfer connection, the Employee was able to transfer customer account data from the Registrant’s systems to his personal server.
Following the exfiltration of the data from the Registrant’s systems, third-party hackers separately compromised the Employee’s personal server and began to sell the customer account data online. The Registrant detected these sales during Internet sweeps and identified the Employee as the source of the information.
As a result of the settled proceeding, the Registrant was ordered to cease and desist from further violations of the Safeguards Rule, censured, and fined $1,000,000. Separately, the Registrant notified customers whose data had been compromised. The Employee was banned from the securities industry by the SEC. And, in a related criminal case, he pled guilty to the felony of exceeding authorized access to a computer and was sentenced to 36 months of probation and ordered to pay $600,000 in restitution to the Registrant. Moreover, the Federal Reserve Bank of New York notified the Employee that, because his conviction involved “dishonesty or breach of trust,” he was automatically subject to a statutory ban from the business of banking.
This case highlights the SEC’s expectation that an organization both adopt and implement an effective cybersecurity risk management program on an enterprise-wide basis. It also suggests that the SEC believes that organizations should adopt effective automated security mechanisms (e.g., filters to block “uncategorized” websites and effective “authorization modules”) in addition to routine auditing, testing, and monitoring. Additionally, it is the latest in a trend of cybersecurity initiatives by the SEC that highlights the growing cooperation among federal agencies on cybersecurity matters (the FBI’s New York Field Office and the US Attorney’s Office for the Southern District of New York assisted the SEC in its investigation).4
1 Privacy of Consumer Financial Information (Regulation S-P), Rel. Nos. 34-42974, IA-1883, 65 Fed. Reg. 40,334 (June 29, 2000) (codified at 17 C.F.R. §248.30(a)).
2 Id. The federal banking agencies and the Federal Trade Commission (“FTC”) have adopted similar rules and are responsible for enforcing those rules with respect to entities under their jurisdiction.
3 According to the SEC, website filtering programs “generally attempt to categorize websites based on their content or other attributes and then apply predetermined filters based on the detected website category … . ‘Uncategorized’ websites are those that the filtering program has not placed into one of its established categories.”
4 See our earlier legal update regarding a separate SEC enforcement action against a registered investment adviser for cybersecurity-related lapses.