The Securities and Exchange Commission sanctioned three broker-dealer/investment advisers for failures in their cybersecurity policies and procedures that resulted in email account takeovers. Each of the firms was using cloud-based email accounts that were hacked. The three firms had not mandated multi-factor authentication for access to the email accounts.
The SEC claimed failure under Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”). The Safeguards Rule requires financial institutions to adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information. Those policies and procedures have be reasonably designed to
- Ensure the security and confidentiality of customer information;
- Protect against anticipated threats or hazards to the security or integrity of customer information; and
- Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.
The SEC did not claim that any customers were harmed, money stolen, or any malicious use of the compromised information. The SEC claimed that the firms failed to design and enforce written cybersecurity policies in a sufficient manner as it related to cloud-based email accounts. The firms either did not require multi-factor authentication or failed to completely implement multi-factor authentication.
Simple takeaway from these actions: If you firm is using web-based email system, mandate multi-factor authentication.
Sources:
- SEC Announces Three Actions Charging Deficient Cybersecurity Procedures
- SEC Order – Cetera Entities
- SEC Order – Cambridge
- SEC Order – KMS
- SEC Cyber Enforcement Actions – Lessons for Private Fund Managers
- Key Takeaways From a Second Summer Blitzkrieg of SEC Cybersecurity Enforcement
- SEC CHARGES 8 FIRMS FOR FAILURES IN THEIR CYBERSECURITY POLICIES AND PROCEDURES