On September 26, the U.S. Securities and Exchange Commission (SEC) announced that a broker-dealer/investment adviser has agreed to pay a $1 million fine for allegedly failing to safeguard personally identifiable information of customers. According to the SEC, the firm failed in two areas: allegedly violating the Safeguard Rule and allegedly violating the Identity Theft Red Flag Rule. regulation directed toward New York consumer credit reporting agencies. The regulation applies to agencies who reported on 1,000 or more New York consumers in the preceding year.
The fine relates to a 2016 incident in which the SEC claims that bad actors posing as contractors allegedly infiltrated the firm’s support system, convinced staff to update their passwords, and then succeeded in creating new profiles. According to the SEC, access was gained to the personal information of over 5,500 customers. Further, after discovery of the infiltration, the SEC claimed that termination of such unauthorized access was slow due to what the SEC characterized as faulty cybersecurity methodology.
In the SEC’s press release announcing the fine, Robert A. Cohen, head of the SEC Enforcement Division’s Cyber Unit, said, “This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models. They also must review and update the procedures regularly to respond to changes in the risks they face."
Commenting on the case, Askari Foy, Managing Director at ACA Aponix and former Head of the SEC’s National Technology Controls Program, said, “This enforcement case demonstrates that the SEC continues to focus on cybersecurity as part of its examination program. It is also worth noting that a combination of regulatory risks, third-party risks, susceptibility to social engineering attacks, and a lack of sufficient incident response procedures led to the violations alleged by the SEC.”
How ACA Can Help
ACA Aponix offers several solutions for assessing your firm’s cyber risk and helping to meet federal and state cybersecurity regulations. These include:
- Cybersecurity and technology risk assessments
- WISP and business continuity planning development and implementation assistance
- Cyber incident response planning
- Vendor and M&A diligence services
- Phishing testing and cyber awareness training
- Mock regulatory cyber exams
For More Information
If you have questions, please contact your regular ACA Aponix consultant or email us at firstname.lastname@example.org.