Cyber Crackdown on Email

The Securities and Exchange Commission sanctioned three broker-dealer/investment advisers for failures in their cybersecurity policies and procedures that resulted in email account takeovers. Each of the firms was using cloud-based email accounts that were hacked. The three firms had not mandated multi-factor authentication for access to the email accounts.

The SEC claimed failure under Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”). The Safeguards Rule requires financial institutions to adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information. Those policies and procedures have be reasonably designed to

  1. Ensure the security and confidentiality of customer information;
  2. Protect against anticipated threats or hazards to the security or integrity of customer information; and
  3. Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

The SEC did not claim that any customers were harmed, money stolen, or any malicious use of the compromised information. The SEC claimed that the firms failed to design and enforce written cybersecurity policies in a sufficient manner as it related to cloud-based email accounts. The firms either did not require multi-factor authentication or failed to completely implement multi-factor authentication.

Simple takeaway from these actions: If you firm is using web-based email system, mandate multi-factor authentication.

Sources:

Author: Doug Cornelius

You can find out more about Doug on the About Doug page

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.