Alert September 16, 2008

SEC Settles Enforcement Proceeding over Broker-Dealer’s Failure to Comply with Reg. S P Requirements for Safeguarding Customer Information

The SEC settled an enforcement action against a firm registered as a broker-dealer and investment adviser for the firm’s failure to adopt policies and procedures reasonably designed to safeguard personal customer information under Rule 30(a) of Regulation S-P (the “Safeguards Rule”).   Since July 2001, the Safeguards Rule has required registered broker-dealers and advisers, and other entities subject to SEC regulation, to maintain policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information, and are reasonably designed to insure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records and information, and protect against unauthorized access to or use of customer records or information.  In 2005, the SEC amended Regulation S-P to require that these policies and procedures be in writing.  (The SEC has since proposed amendments to Reg. S-P that create more specific standards under the Safeguards Rule, as discussed in a March 11, 2008 Goodwin Procter Client Alert.)  The SEC’s findings in this settled proceeding focus on the firm’s failure to maintain adequate written policies and procedures addressing the Safeguards Rule, and its failure to respond in a timely and appropriate manner to an internal audit that found weaknesses in the security of the Internet-based trading platform (the “Platform”) the firm’s registered representatives (“RRs”) used to enter customer trades.

Security Breaches in Web-based Trading Platform.   During the period July 2007 - February 2008, unauthorized persons accessed and traded, or attempted to trade, in customer accounts by gaining access to 13 RR accounts on the Platform.  Once logged on to the Platform, the unauthorized persons placed, or attempted to place, 209 unauthorized trades in 68 customer accounts, and may have had access to non-public information of at least 10,000 customers. Altogether, the unauthorized persons attempted to place over $700,000 in trades in securities of nineteen different companies.  The firm detected the unauthorized and inappropriate trade requests, most of which were blocked by the Platform. In some cases, however, unauthorized trades were executed through customer accounts.  The firm promptly reversed or eliminated the resulting customer positions and compensated the customers for the resulting trading losses, which totaled approximately $98,900. 

Inadequacy of Written Policies and Procedures.  The SEC found that the firm had failed to have a customer information policy for its employees and branch RRs describing its overall program that complied with the Safeguards Rule.  Although the firm had some documents addressing policies for safeguarding customer records and information, those documents did not constitute, either individually or in combination, a complete set of policies and procedures addressing administrative, technical, and physical safeguards reasonably designed to protect customer records and information at the firm’s branch offices.  Among other things, these documents included only limited and insufficient written materials (and, in some instances, only suggestions or recommendations, as opposed to mandates) regarding safeguarding customer information.  In addition, when Regulation S-P was amended in 2005 to require that policies and procedures for safeguarding of customer information be written, the firm failed to comply.

Internal Audit Report Identifies Deficiencies in Trading Platform Security. In mid-2006, the firm conducted an internal audit in mid-2006 that identified inadequate security controls to safeguard customer information at its branch offices.  The internal auditors identified the following weaknesses: (1) RR passwords did not meet industry standards for so-called “strong” passwords, because, among other things, the passwords had no requirements on length or alphanumeric/special character combinations; (2) passwords were not set to expire after a certain period of time; (3) users could not change their own passwords; and (4) there was no automatic lockout feature related to unsuccessful login attempts.  In addition, over 300 of the firm’s information technology employees had access to a list of Platform passwords, and a number of former employees likely had access to such a list before leaving the firm.  The firms’ internal auditors further observed that the Platform’s automatic session timeout limit of eight hours was believed to be significantly longer than the timeout periods used by other financial services firms for similar applications.  The audit concluded that weaknesses in the Platform’s security would increase the likelihood that unauthorized persons could obtain confidential information and make unauthorized trades. 

Failure to Take Prompt, Appropriate Corrective Action .  A written report of the internal audit was finalized and provided to the firm’s Chief Information Officer in December 2006.  In early 2007, the report was shared with members of the firm’s senior management, and later in May 2007, the report was presented to the firm’s executive risk committee.  Among the specific risks identified for both senior management members and the executive risk committee were risks that (a) an intruder could hack into the Platform and cause financial loss to advisers and customers; and (b) an unauthorized individual could steal client information or execute unauthorized trades.  The firm’s executives were further warned that more than 90% of all security breaches involved loss of information in digital form.   The firm’s enterprise risk management organization cautioned that further review of access control issues for the Platform identified in the audit report could lead to a finding or opinion by its independent auditors that the firm had ineffective controls.   The firm’s internal audit department reported that password complexity controls and session inactivity controls for the Platform could be implemented at an estimated cost exceeding $500,000.   In June 2007, the firm created a separate committee to evaluate and implement security for the Platform. 

Violations and Sanctions.  The SEC found that the firm willfully violated the Safeguards Rule and in particular, that the firm’s failure to take immediate corrective action in response to the weaknesses identified in the internal audit by the time of the security breach in July 2007, constituted reckless disregard of its duties under the Safeguards Rule..  Under the terms of the settlement, which reflected the SEC’s consideration of the firm’s remedial efforts and cooperation, the firm is subject to a cease and desist order and censure, and will be required to pay a penalty of $275,000.  The firm also agreed to undertake the following remedial measures: (a) devising and implementing a policy and a set of procedures for training employees and RRs on safeguarding customer records and information; and (b) engaging an independent consultant to (i) review the firm’s written policies and procedures relating to the Safeguards Rule, and (ii) make recommendations designed to assure they comply with the Safeguards Rule.