SEC Sanctions Broker-Dealer/Adviser for Cyber Violations

[31421]

October 4, 2018 TO: Chief Compliance Officer Committee
Chief Information Security Officer Advisory Committee
Chief Risk Officer Committee
Internal Audit Committee
Operations Committee
Small Funds Committee
Technology Committee RE: SEC Sanctions Broker-Dealer/Adviser for Cyber Violations

 

The SEC recently announced the settlement of an enforcement proceeding that it brought against a firm that is dually registered with the SEC as an investment adviser and broker-dealer and that involved deficient cybersecurity procedures.[1] According to the SEC’s Order, the Respondent’s deficient cybersecurity procedures resulted in the Respondent violating: (1) Rule 30(a) of Regulation S-P, which requires registrants to safeguard customer records and information; and (2) Rule 201 of Regulation S-ID, which requires registrants to develop and implement a written Identity Theft Prevention Program. As a result of these violations, the Registrant was censured, ordered to cease and desist from further violations, and fined $1 million. It was also required to undertake certain remedial actions including retaining a compliance consultant for two years who is required to report to the Respondent and the Commission regarding findings and recommendations. The facts of this case are briefly summarized below.

According to the Order, the Registrants offers various financial products to consumers through a national network of independent contractors that are registered representatives of the Registrant.  The Registrant has over 1000 employees and 3800 associated persons, including these independent contractors, who work out of their own offices at approximately 1200 locations through the United States. These independent contractors access the Registrant’s customer information through a proprietary web portal (the “Portal”), which provides them access to the Registrant’s systems and customer account information and the ability to effect transactions for customers. 

The Registrant had no cybersecurity staff of its own.  Instead, it outsourced these functions to the Registrant’s parent company. The parent company was additionally responsible for servicing call centers for the Registrant’s customers and for assisting independent contractors with the Portal.  While the Registrant’s parent company had cybersecurity policies and procedures that governed the Registrant, according to the Order, these policies and procedures were not reasonably designed to apply to the systems the independent contractors used to connect with the Registrant and the Portal. For example, they did not apply the policies’ 15-minute inactivity timeouts to users of the Portal; did not include a procedure to terminate an independent contractor’s remote session; did not require reset passwords to be sent via secure email; and rendered ineffective the system’s multi-factor authentication when users of the Portal contacted the parent’s support team to request a reset of Portal passwords. The Order also found that:

• While the parent company maintains a “monitoring list” of phone numbers suspected of having been used in connection with prior fraudulent activity, there was no policy or procedures that required the parent to consult this list prior to resetting passwords or accepting calls for service;
• The independent contractors’ personal computers were not effectively scanned for the existence of antivirus software, encryption, and software updates;
• For those personal computers that were scanned, there was a 30% failure rate (with half of those exhibiting critical failures such as lack or encryption or no antivirus software) with no review or follow-up by the parent;
• The Registrant did not provide notice to a customer when an initial profile was created in the Portal for that customer or when contact and document delivery preferences were changed for that customer;
• While the Registrant’s policies and procedures required, as part of the firm’s incident response plan, that potentially compromised user accounts be disabled or shut down in the Portal, this was not done;
• The parent’s IT security staff, who were responsible for responding to security incidents, “were not provided with adequate training regarding the operation of [the Portal] and erroneously believed that resetting a [Portal] password for a user would terminate that user’s existing session, which was not the case;
• While the Registrant had informally adopted a procedure to place flags on the accounts of an independent contractor or its customers when such accounts might have been compromised, “unbeknownst to the security staff, such flags were erased from the system periodically in connection with unrelated system activities;”
• The Respondent failed to update its Identify Theft Prevention Program in response to changes in risks to the Respondent’s customers and failed to train its staff regarding new risks; and
• Once the Respondent discovered that intruders had obtained access to the Portal and personally identifiable information on the Registrant’s customers, the Registrant did not have reasonable procedures to change security codes, employ other security devices, or modify existing procedures in order to deny unauthorized persons access to the Registrant’s customer accounts.

On three days in April 2016, one or more persons impersonated independent contractors of the Respondent. This was preceded in January and March 2016 with other fraudulent activity in which unknown persons impersonated representatives of the Respondent, including one representative who was again impersonated in the April attacks. These impersonators contacted the Registrant’s parent company to seek help with the Portal. Two of these calls came from a phone number that was previously suspected of being used for fraudulent activity at the Registrant. In connection with these calls, the callers provided two forms of the independent contractors’ personal information and requested a reset of the contractor’s password. In response to the request, the parent company reset the passwords and provided a temporary password to the caller by phone. In two instances, the parent company also provided the caller the representative’s user name. This information enabled the impersonators to login to the Portal.

According to the Order, once the intruders logged in, they had access to the nonpublic personal information on approximately 5600 customers, including address, DOB, last four digits of the SSN, and email addresses. For at least 2000 customers, the intruders also had access to full SSNs or other government-issued identification numbers. The intruders also edited and ran reports containing customer information and obtained access to unique variable annuity contract numbers that could be used to authenticate a customer. While the intruders also had the ability to access a platform to manage customer accounts and initiate customer transactions, apparently they did not use this platform. 

When one of the Registrant’s independent contractors received an email notifying him that his password had been changed, he notified the firm that he had not requested this change.  This resulted in the parent company’s security response team formally directing staffers not to provide user names and temporary passwords by phone. However, between the time the firm learned of the compromised account and this direction, the intruders had obtained another independent contractor’s credentials which were also used to access the Portal. Also, the direction to staffers was not heeded five days after it was issued when another employee provided an intruder credentials on another independent contractor. 

While the parent company’s security team identified certain IP addresses that were likely involved in the intrusion, they failed to block these IP address or freeze the compromised sessions “in part based on their mistaken belief that resetting the compromised [Portal] passwords would terminate these sessions.” As a result, the intruders continued to have access to the system and customers’ nonpublic personal information.

The Order continues:

          After the first contractor representative notified [the Respondent] of the fraudulent reset of his password, [the Respondent’s] annuity customer service call center received five telephone calls from unknown callers impersonating one of the representative’s customers and three calls from unknown callers impersonating the representative himself. These calls came in from four different phone numbers, which in six instances had area codes outside of the customer’s and the representative’s state of residence.  Several of the calls came in from a number on the ‘monitoring list.’  The callers obtained account-level information from technical support, changed the customer’s email address of record to a ‘@yop.com’[2] email address, and caused [the Registrant] to send certain of the customer’s account documents to that address.[3]

The Order notes that the intruders were able to obtain customer-specific account documents for two additional customers of the Registrant by establishing online profiles that provided them access to account balances, account documents, and tax documents, among other information.  They also used these profiles to change the customers’ email addresses of record to disposable email addresses, phone numbers of record, and the delivery method used for statements and account confirmations from mail to online and email. 

Although the Registrant conducted testing of some independent contractors’ password resets in an effort to identify the scope of the intrusion, the testing only covered a limited period of time, which was not as long as the period of intrusion. Also, 41% of the resets tested resulted in an “unable to reach” finding, and there was no follow up with those contractors.

After the intruders voluntarily left the Registrant’s networks, the Registrant blocked two malicious IP addresses. The intruders continued their attempts to obtain distributions and information from the compromised accounts by contacting the Registrant’s customer support call centers, as well as other financial institutions. According to the Order, no unauthorized transfers of funds or securities from customer accounts results from the intruders’ attack.

As noted above, the Order finds that the Respondent’s conduct resulted in the Respondent willfully violating Rule 30(a) of Regulation S-P and Rule 201 of Regulation S-ID and sanctioned the firm for such violations. The Order noted, however, that, following the intrusion, the Respondent undertook certain remedial acts including: blocking the malicious IP addresses; revising its user authentication policy to prohibit providing temporary passwords by phone; issuing breach notices to affected customers and providing such customers free credit monitoring for one year; implementing effective multi-factor authentication for the Portal; and naming a new Chief Information Security Officer who is responsible for creating and maintaining cybersecurity policies and procedures and an incident response plan tailored to the Respondent’s business.  

 

Tamara K. Salmon
Associate General Counsel

endnotes

[1]  See In the Matter of Voya Financial Advisors, Inc., SEC Release No. 84288 (September 26, 2018) (the “Order”), which is available at: https://www.sec.gov/litigation/admin/2018/34-84288.pdf. The SEC also published a press release about this action. See SEC Charges Firm With Deficient Cybersecurity Procedures, SEC (Sept. 26, 2018 at 6:35 AM EDT), which is available at:  https://www.sec.gov/news/press-release/2018-213.

[2] A footnote to the Order explains that “Yopmail.com is a disposable email service that allows users to create an email address, review incoming emails, and destroy all content thereunder.” Order at fn. 9.

[3] Order at ¶ 31.