SEC Sanctions Registrant for Violating Regulation S-P by Failing to Require Antivirus Software
[23863]
October 8, 2009
TO: TECHNOLOGY COMMITTEE No. 20-09PRIVACY ISSUES WORKING GROUP No. 13-09
INTERNAL AUDIT ADVISORY COMMITTEE No. 5-09 RE: SEC SANCTIONS REGISTRANT FOR VIOLATING REGULATION S-P BY FAILING TO REQUIRE ANTIVIRUS SOFTWARE
The SEC recently settled an administrative action alleging a firm’s violation of Regulation S-P.* The firm, which was dually registered as a broker-dealer and investment adviser, provided its representatives with access to its clearing broker’s proprietary trading platform through the firm’s intranet trading site. Using login credentials, the firm’s representatives could access the trading platform online from any computer with an Internet connection. Pursuant to its independent contractor model, the firm required its representatives to supply their own computer hardware and software. According to the SEC’s Order, the firm recommended – but did not require – that its registered representatives maintain antivirus software on their computers, which the representatives used to access customer account information on the firm’s intranet and trading platform. Also, the firm did not have procedures in place to adequately review its representatives’ computer security measures so the firm’s internal auditors did not audit branch office computers to determine whether antivirus software was installed.
In early November 2008, an unauthorized party obtained the login credentials of one of the representatives through the use of a computer virus and was thereby able to access the firm’s intranet and view information on how to execute trades. Approximately a week later, the intruder used the same credentials to enter the trading platform and run a search of all customer accounts with cash balances in excess of a certain amount, which generated a list of 368 broker-dealer and investment advisory customer accounts, including the accountholder’s name, account number, account registration type, account net worth, cash balance, and last four digits of the accountholder’s social security number. Using this information, the intruder entered eighteen unauthorized purchase orders in eight accounts totaling $523,000. Within ten minutes of placing the trades, the unauthorized activity was detected by the firm’s clearing broker-dealer and the intruder was blocked from further trades. The unauthorized trades were immediately cancelled and both the SEC and the 368 accountholders were notified.
While the Order found that the firm has policies and procedures in place that were apparently designed to safeguard customer records and information at the time of the intrusion, the firm only recommended, but did not mandate, antivirus software even though the firm “was aware of the threat to the security of customer records and information and potential for unauthorized access that could result from a computer virus.” In addition, the firm did not have adequate procedures in place to follow up on potential antivirus computer security issues uncovered when representatives contacted the Information Technology (IT) help desk for computer-related assistance.
Based on the above, the Order finds that the firm willfully violated the Safeguards Rule (i.e., Section 248.30 of Regulation S-P), “by failing to require basic safeguards such as antivirus software on all . . . registered representatives’ computers conducting business over the Internet and by failing to follow up, or have written procedures addressing the follow up, on security issues either uncovered in branch audits or reported to the IT help desk, the firm failed to adhere to the standards of reasonable design imposed by the Safeguards Rule.” Based on its violation, the firm was censured, ordered to cease and desist from further violation, and fined $100,000.
Tamara K. Salmon
Senior Associate Counsel
endnotes
* See In theMatter of Commonwealth Equity Services, LLP d/b/a Commonwealth Financial Network , SEC Release Nos. 34- 60733 and IA-2929 (File No. 3-13631; September 29, 2009)(the “Order”), which is available at: http://www.sec.gov/litigation/admin/2009/34-60733.pdf.