Memo #
22866

SEC Sanctions Registrant For Reg. S-P Violations Resulting From Information Security Weaknesses The Firm Knew Existed
| Print

 

 

[22866]

 

September 15, 2008

TO: COMPLIANCE MEMBERS No. 44-08
INTERNAL AUDIT ADVISORY COMMITTEE No. 5-08
PRIVACY ISSUES WORKING GROUP No. 11-08     RE: SEC SANCTIONS REGISTRANT FOR REG. S-P VIOLATIONS RESULTING FROM INFORMATION SECURITY WEAKNESSES THE FIRM KNEW EXISTED

 

The SEC recently settled an action with a firm registered with the SEC as a broker-dealer, investment adviser, and transfer agent, which involved a violation of Regulation S-P. [1]   In particular, the SEC found that the firm willfully violated Section 248.30 of Regulation S-P, which requires SEC registrants to have written policies and procedures that are reasonably designed to safeguard customer records and information.  The SEC’s proceeding was commenced after the firm experienced a breach in its proprietary trading system, which breach the firm’s internal auditors had warned of due to documented security weaknesses in such system.  The facts of this case and the sanctions imposed by the SEC are briefly described below.

 

Summary of the SEC’s Findings

              According to the Order, between July 2007 and February 2008, the firm experienced a series of computer system security breaches in which unauthorized persons accessed and traded, or attempted to trade, in the customer accounts of several of the firm’s registered representatives.  As of the date of these incidents, the firm had failed to implement increased security measures and adopt policies and procedures as required by Regulation S-P that are reasonably designed to safeguard customer information.  While the firm detected the breaches and absorbed the losses in the customer accounts, the Order found the firm’s failures left customer information vulnerable to identity thieves or other unauthorized users.

 

              The Commission’s Order notes that from July through September 2006, the firm conducted an internal audit of it computerized trading system to evaluate its security and controls.  This audit revealed various deficiencies and concluded that weaknesses in the system “would increase the likelihood that an unauthorized person(s) would obtain confidential information and unauthorized trades could occur,” including account intrusions.  The internal audit department’s report was provided to the firm’s Chief Information Officer in December 2006, shared with senior management in early 2007, and presented to the executive risk committee in May 2007.  According to the audit department’s report, the firm could elect to either spend in excess of $500,000 adopting enhancements to the system or not adopt such recommended enhancements if they would not be cost effective.  In June 2007, the firm created a separate committee to evaluate and implement security for the firm’s computerized trading system.  According to the Order, however, the firm “failed to take immediate corrective action.  As a result, as of the time of the security breach in July 2007, [the firm] in reckless disregard of the regulatory requirements, had not implemented increased security measures and policies and procedures in response to the internal audit.” 

 

Sanctions Imposed by the SEC

              Based on the firm’s willful violation of Regulation S-P, the Order includes a number of undertakings the firm agreed to.  These include, among others:

 

  • Devising and implementing a set of procedures for training its employees and all registered representatives regarding safeguarding customer records and information;
  • Retaining an independent consultant to review the firm’s Regulation S-P policies and procedures and make recommendations concerning them; and
  • Implementing the independent consultant’s recommendations or, if the broker-dealer disagrees with such recommendations, notifying the Commission in writing of such disagreement.

 

In addition, the firm was censured, ordered to cease and desist from further violations of Section 248.30 of Regulation S-P, and fined $275,000.

 

Tamara K. Salmon
Senior Associate Counsel

 

endnotes

 [1] See In the Matter of LPL Financial Corporation, Order Instituting Administrative and Cease-and-Desist Proceeding Pursuant to Section 15(b) and 12C of the Securities Exchange Act of 1934 and Sections 203(e) and 203(k) of the Investment Advisers Act of 1940,Making Findings, and Imposing Remedial Sanctions and a Cease-and-Desist Order as to LPL Financial Corporation, SEC Release No. 34-58515 (September 11, 2008) (the "Order"). The Order is available on the SEC's website at: http://sec.gov/litigation/admin/2008/34-58515.pdf