Cybersecurity Troubles At Financial Firms – Seven Regulatory Actions To Consider

"Those who do not remember the past are condemned to repeat it." — George Santayana

Frequently in the cybersecurity field, we try to look ahead to anticipate the next threat, that zero-day attack. In this article on cybersecurity, we take a look back and review a handful of regulatory actions initiated by the Securities and Exchange Commission or the Financial Industry Regulatory Authority to glean some lessons learned from cybersecurity vulnerabilities. The SEC is the primary regulator for investment companies, investment advisers and broker-dealers, and FINRA is a self-regulatory organization for broker-dealers.

Regulatory actions initiated by the SEC and FINRA relating to computer/information security are most often grounded in violations of Regulation S-P rather than the SEC's or FINRA's anti-fraud enforcement authority.1 Rule 30 of Regulation S-P (referred to as the Safeguards Rule), which implemented the privacy provisions in Title V of the Gramm- Leach-Bliley Act of 19992 provides:

Every broker, dealer, and investment company, and every investment adviser registered with the Commission must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to:

(1) Insure the security and confidentiality of customer records and information;

(2) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and

(3) Protect against any unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

The following regulatory actions highlight a number of broad categories of cybersecurity/information security problems, including inadequate policies and procedures, failure to follow up on reported cybersecurity problems and weak computer security/computer password practices, to name a few. Often, inadequate policies and procedures provide poor guidance to employees who, in turn, make poor decisions that result in problematic actions. The facts3 that led to the regulatory action are summarized and then followed by bullet points regarding the trouble-causing problems and regulatory sanctions. For each regulatory action, a basic lesson is provided. Additional lessons follow the discussions of the regulatory actions. This article is not intended to be a comprehensive discussion of cybersecurity regulatory actions, but merely highlights a few cases.

Regulatory Actions by the SEC

In the Matter of Marc A. Ellis, Release No. 34-64220 (April 7, 2011)4

Basic Lesson No. 1: Financial firms need information security policies and procedures that include some details and do not merely regurgitate the requirements of published regulations.

Facts: Laptop computers belonging to three registered representatives of GunnAllen Financial Inc. were stolen, and the computer password credentials belonging to a fourth registered representative were misappropriated. One of the stolen laptop computers contained names, dates of birth and Social Security numbers of 1,120 of GunnAllen's customers. For the theft involving the computer with customer information, GunnAllen filed a report with the local police but did not take any other steps concerning the theft, and the laptop computer was never recovered. A letter notifying customers of the potential data breach was drafted but never mailed to the affected clients. In addition, a registered representative who was terminated a year earlier had misappropriated another employee's passwords and was monitoring an employee's email. Other than changing the registered representative's password, no other follow-up action was ever taken by compliance. Marc Ellis, GunnAllen's chief compliance officer, was responsible for maintaining GunnAllen's customer information protection procedures.

Inadequate Policies and Procedures. The policies addressing the protection of customer information contained in GunnAllen's written supervisory procedure manual were "less than a page long" and "general and vague," and they "simply recited the Safeguards Rule" and "provided examples of safeguards that may be adopted but did not specify policies actually adopted." In addition, no procedures existed that addressed what registered representatives should do in the event of a possible data breach...