04 October 2018
In September 2018, an advisory firm was charged by the SEC and had to pay fines of $1 million dollars.
Laying the Foundation
This advisory firm is dually-registered (Broker Dealer and RIA). For a five-year period, independent contractors were provided access to client information through a remote web portal. The independent contractors used their own equipment and networks to access the web portal. The web portal and technical support was maintained by the firm’s parent company.
What happened…in a nutshell?
Over the course of six days, one or more impersonators of the independent contractors called technical support of the advisory firm’s parent company and requested passwords to be reset for three different representatives. Temporary passwords, and in two of the instances, usernames, were provided over the phone.
Three hours after the first fraudulent request was made, one of the “real” independent contractors contacted technical support to say he received an email that his password was reset and that he did not request this.
At this point, the firm did take steps to respond to this intrusion, but those steps did not prevent the two subsequent incidences where intruders obtained passwords and gained access to personally identifiable information for at least 5,600 clients.
It was later found that two of the phone numbers of the impersonators who called technical support were previously identified by the advisory firm’s parent company as having prior fraudulent activity. The prior fraudulent activity also involved attempts to impersonate independent contractors. (Definitely a red flag.)
It was also determined that the advisory firm did not have a sufficient understanding of the operations of the web portal. They could have prevented the intruders’ access by appropriately terminating their accounts. (Failure to adopt policies and procedures designed to protect client information.)
Because the firm’s policies and procedures were not reasonably designed to protect customer information and respond to cybersecurity threats, the firm was fined and paid a settlement of $1 million.
Read the details of this case: https://www.sec.gov/litigation/admin/2018/34-84288.pdf
- Review your policies. Make sure they are “reasonably” designed for your firm. How do you know if they are reasonable? Talk to your IT professional(s) and make sure the controls and procedures in place make sense for the systems in place. Talk to your compliance consultants and make sure the policies cover the areas of concern. Remember, your policies are dynamic. You do not write your policies and stick them in a file cabinet to never be seen again. They should regularly be reviewed and updated.
- Train your staff! This is very important! Make sure they understand the importance and what they need to do on a daily basis to not only protect the firm and clients, but also themselves.
- Test your policies. You can hire an independent party to conduct either penetration or vulnerability testing. Have a discussion with key personnel simulating possible scenarios and assessing the risk to make sure they are still relevant to your firm’s systems and structure. Then make adjustments as needed.
- Have an incident response plan in place. I believe we are in a time where it’s not a matter of if, but when. How quickly and effectively you respond to an incident can make all the difference in protecting the firm and clients. Make sure you have a plan in place to detect and respond in a timely manner.