Data breaches are a growing concern for broker-dealers in the financial services industry. In recent months, the Securities and Exchange Commission (SEC) has reported a spike in “attempts by outside bad actors” to gain access to accounts. For broker-dealers, failing to protect customer data — or failing to properly report suspicious activity — could run afoul of the SEC and the Financial Crimes Enforcement Network (FinCEN).
That was recently the case for GWFS Inc., the second-largest record-keeping retirement service provider in the United States. GWFS, an SEC-registered broker-dealer, has been fined $1.5 million for allegedly failing to report hacking and attempted hacking.
According to the SEC, over a three-year period, GWFS was aware of hacking and attempted hacking of customer accounts, but GWFS failed to file about 130 suspicious-activity reports (SARs). The SEC also claims that GWFS filed 300 incomplete reports linked to hacking.
Even though GWFS “detected most of these attempts before the bad actors could request a distribution,” hackers did gain access to some electronic login information.
The SEC noted that, in one instance, a person fraudulently used hacked information to impersonate a plan participant, call a GWFS call center and successfully request a distribution of $128,000. The same phone number was reportedly used at least two more times to take over accounts.
Omitting The ‘Five Elements’
Under FinCEN rules, broker-dealers are required to report “five essential elements” regarding data breaches: 1) who, 2) what, 3) when, 4) where and 5) why. That information includes IP addresses and email addresses.
The SEC claims that GWFS failed to provide essential elements in about 300 reports that were filed.
GWFS has reportedly already taken prompt steps to remedy the situation, and has substantially cooperated with SEC staff. As part of its settlement with the SEC, GWFS did not admit or deny the agency’s findings.
If you have questions about SEC investigations or other civil or criminal exposure in financial matters, please contact the attorneys at Ford O’Brien. We advise and represent clients in New York and Nationwide.
Source: Law360, “SEC Fines Broker $1.5M For Failure To Report Cybercrimes,” May 12, 2021