While the question of whether cyber-security breaches from a personal computer cost a candidate the presidency may be the subject of debate for some years to come, the cost of that violation for one of America’s top investment houses is already clear: $1 million. In the financial sector, such lapses are being taken very seriously as demonstrated by what has been referred to as “the most significant SEC cyber-security-related action to date.”
700,000 Accounts Hacked
Despite being ranked in the top three of this year’s All-America Trading Team rankings, a venerable US investment bank allegedly failed to adopt federally mandated policies and procedures to adequately protect confidential customer information. According to the SEC, that breach resulted in an employee being able to access over 700,000 customer accounts from his home computer between 2011 and 2014 and transfer the data to his personal server. Then, apparently unbeknownst to him, his server was hacked by third parties who posted the information online between December 2014 and February 2015.
Serious Compliance Failures
According to the SEC complaint filed in the case, the bank failed to comply with well-known cyber-security regulations contained in Rule 30(a) of Regulation S-P, known as the “Safeguards Rule.” The complaint alleged that:
* The bank violated federal securities laws that require registered broker-dealers and investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information;
* The bank’s policies and procedures were not reasonable due to the fact that two internal web applications or “portals” allowed employees to access customers’ confidential account information;
* The bank did not have effective authorization modules in place to protect the portals for more than ten years, which would have restricted employees’ access to customer data based on each employee’s legitimate business need; and,
* The bank did not audit or test the relevant authorization modules, nor did it monitor or analyze employees’ access to and use of the portals.
On the Other Hand…
According to one industry observer, the irony is that the bank in fact “did everything right,” and he cautioned that no regulated company is immune from inside cyber-security breaches. Furthermore, the bank’s response to the serious breach was exemplary: In December 2014, a posting appeared on an Internet site offering millions of account records including login data with passwords and instructions on how to purchase them. The records were being sold, not for U.S. currency, but in exchange for a virtual currency known as “Speedcoin,” a virtual relative of the better-known Bitcoin. The bank immediately discovered the posting due to the diligence of its routine tracking of suspicious websites, and the offer was removed the same day. The cyber-security breach was ultimately traced to the six-year veteran employee who was criminally charged—and, of course, fired.
Inside Employee Also Fined
In addition to the $1 million fine assessed against the bank, the former employee agreed to be barred from the industry (although he can reapply after five years), and he pleaded guilty to a one-count criminal charge of unauthorized access to a computer filed by the U.S. Attorney’s Office for the Southern District of New York. He was further sentenced to thirty-six months of probation and a $600,000 restitution order.