Overview of Computer Crime and Its Costs
Stories about computer data breaches, such as the Adobe (2.9 million customers affected), Target (70 million customers affected) and JPMorgan Chase & Co. (456,000 customers affected) incidents, have figured prominently in the news.1 While national media attention has focused on a few large-scale, high-profile data security breaches like those that affected national retailers Target and Neiman Marcus, data security breaches are widespread and continue to grow in number and scale. For 2013, the Identity Theft Resource Center (ITRC) reported 614 data breaches involving 91.9 million compromised records, which represented a 30 percent increase over the 2012 data security breaches tracked by the ITRC.2 Similarly, a global study on data breach investigations published by the Verizon RISK Team reported that in 2013 there were 63,000-plus reported security incidents, of which 1,367 involved confirmed data disclosures that affected hundreds of millions of customers. Financial organizations were involved in 856 security incidents and 465 security incidents with confirmed data loss.3
The stakes for businesses that experience a data security breach are high and entail significant financial consequences. The Ponemon Institute’s 2013 Cost of Data Breach Study: Global Analysis reports that, on average, a data breach costs U.S. companies $5.4 million per data breach, or $188 per compromised record (average number of compromised records: 28,765).
Not surprisingly, computer security has become a subject of regulatory scrutiny. On April 15, as part of a National Exam Program Risk Alert published by the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC), OCIE announced that it will conduct examinations of more than 50 registered broker-dealers and investment advisers focusing on the following cybersecurity issues:
- Cybersecurity governance,
- Identification and assessment of cybersecurity risks,
- Protection of networks and information,
- Risks associated with remote customer access and funds transfer requests,
- Risks associated with vendors and other third parties,
- Detection of unauthorized activity, and
- Experiences with certain cybersecurity threats.
This examination sweep follows on the heels of the Financial Industry Regulatory Authority’s (FINRA) targeted examination sweep to assess brokerage firms’ approaches to managing cybersecurity threats. FINRA similarly focused on approaches to information technology risk assessment, business continuity plans in case of a cyber-attack, organizational structures and reporting lines, processes for sharing and obtaining information about cybersecurity threats, understanding of concerns and threats faced by the industry, assessment of the impact of cyber-attacks on the firm over the past 12 months, approaches to handling distributed denial of service attacks, training programs, insurance coverage for cybersecurity-related events, and contractual arrangements with third-party service providers.
Lessons to be Learned from the
While many in the cybersecurity field look ahead to anticipate the next threat, it is just as important to look back and review a handful of regulatory actions initiated by the SEC or FINRA to glean some lessons learned from cybersecurity vulnerabilities of the past.
Regulatory actions initiated by the SEC and FINRA relating to computer/information security are most often grounded in violations of Regulation S-P rather than the SEC’s or FINRA’s anti-fraud enforcement authority.4 Rule 30 of Regulation S-P (referred to as the Safeguards Rule), which implemented the privacy provisions in Title V of the Gramm-Leach-Bliley Act of 19995 provides:
Every broker, dealer, and investment company, and every investment adviser registered with the Commission must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to:
- Insure the security and confidentiality of customer records and information;
- Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
- Protect against any unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer
The following regulatory actions highlight a number of broad categories of cybersecurity/information security problems, including inadequate policies and procedures, failure to follow up on reported cybersecurity problems and weak computer security/computer password practices, to name a few. Often, inadequate policies and procedures provide poor guidance to employees who, in turn, make poor decisions that result in problematic actions. The facts6 that led to the regulatory action are summarized and then followed by bullet points regarding the trouble-causing problems and regulatory sanctions. For each regulatory action, a basic lesson is provided. Additional lessons follow the discussions of the regulatory actions. This article is not intended to be a comprehensive discussion of cybersecurity regulatory actions, but merely highlights a few cases.
Regulatory Actions by the
In the Matter of Marc A. Ellis, Release No. 34-64220 (April 7, 2011)7
Basic Lesson No. 1: Financial firms need information security policies and procedures that include some details and do not merely regurgitate the requirements of published regulations.
Facts: Laptop computers belonging to three registered representatives of GunnAllen Financial Inc. were stolen, and the computer password credentials belonging to a fourth registered representative were misappropriated. One of the stolen laptop computers contained names, dates of birth and Social Security numbers of 1,120 of GunnAllen’s customers. For the theft involving the computer with customer information, GunnAllen filed a report with the local police but did not take any other steps concerning the theft, and the laptop computer was never recovered. A letter notifying customers of the potential data breach was drafted but never mailed to the affected clients. In addition, a registered representative who was terminated a year earlier had misappropriated another employee’s passwords and was monitoring an employee’s email. Other than changing the registered representative’s password, no other follow-up action was ever taken by compliance. Marc Ellis, GunnAllen’s chief compliance officer, was responsible for maintaining GunnAllen’s customer information protection procedures.
- Inadequate Policies and Procedures. The policies addressing the protection of customer information contained in GunnAllen’s written supervisory procedure manual were “less than a page long” and “general and vague,” and they “simply recited the Safeguards Rule” and “provided examples of safeguards that may be adopted but did not specify policies actually adopted.” In addition, no procedures existed that addressed what registered representatives should do in the event of a possible data breach such as a stolen laptop computer.
- Failure to Implement Written Policies and Procedures. While GunnAllen’s procedures provided for a designated principal who was responsible for monitoring and testing computer safeguards, no one was ever appointed.
- Sanctions. Cease and desist order, censure and $15,000 penalty.
In the Matter of J.P. Turner
& Company LLC, Release No. ID-395 (May 19,
Basic Lesson No. 2: Policies and procedures need to have enough detail that employees understand what actions they should and should not take. Training should be provided to reinforce understanding of their responsibilities.
Facts: A registered representative placed records of 5,000 current or former J.P. Turner customers in the curbside trash pickup at his residence. The records included names, addresses, dates of birth, Social Security numbers and bank account numbers. The trash hauler never collected them, and they remained abandoned until J.P. Turner retrieved them, but J.P. Turner was unable to confirm that the records had all been retrieved.
- Inadequate Policies and Procedures. Manuals for the main office, registered representatives and branch managers simply restated the objectives of the Safeguards Rule, mandated that firm records be locked in file cabinets and be subject to random spot checks, and delegated to the chief compliance officer the responsibility to ensure compliance. There were no other policies that addressed the administrative, technical or physical safeguards for protecting customer records or properly disposing of them when they were no longer needed.
- Inadequate Training. Although J.P. Turner’s chief compliance officer emailed an NASD webcast to employees regarding customer data protection, the effectiveness of training provided by NASD webcast was weakened by instructions to viewers to review their company’s procedures, of which there were none.
- Sanctions. Cease and desist order and $65,000 penalty.
In the Matter of
Commonwealth Equity Services LLP, Release Nos. 34-60733 and
IA-2929 (Sept. 29, 2009)
Basic Lesson No. 3: Compliance policies and procedures work best when employees are required to follow them as opposed to recommendations that they can choose to ignore. Also, it is not good enough to know that a problem exists, a process must be in place to ensure that the problem is remediated.
Facts: An unauthorized individual obtained the login credentials of one of Commonwealth’s registered representatives through the use of a malware/keystroke logger virus. The virus was placed on a computer that did not have anti-virus software. Using the registered representative’s login credentials, the intruder entered Commonwealth’s intranet site, learned how to execute trades, and then launched a search query for customer accounts that generated a list of 368 accounts and provided personally identifiable information, including account name, account number, cash balance and last four digits of a customer’s Social Security number. The intruder placed 18 unauthorized purchase orders in eight accounts totaling over $523,000. Commonwealth’s clearing broker detected the activities, and the intruder was blocked from further trading. Commonwealth immediately canceled the unauthorized purchases and transferred them into its error account, which ultimately cost Commonwealth $8,000. Commonwealth reported the incident to the Commission and notified its clients.
- Inadequate Policies and Procedures. Commonwealth policies recommended as best practices for its registered representatives the use of anti-virus software on branch office computers but did not mandate such use.
- Failure to Follow Up on Computer Security Issues. Prior to the intrusion, Commonwealth’s IT help desk received several calls from the same registered representative whose computer had been hacked and whose computer was compromised by a software virus. The IT help desk recommended the purchase of anti-virus software, but did not follow up to confirm whether anti-virus software was purchased. In addition, Commonwealth had no written procedures that addressed follow-up regarding computer security issues reported to the IT help desk or uncovered in branch audits.
- Sanctions. Cease and desist order, censure and $100,000 penalty.
Wells Investment Securities Inc., Letter of Acceptance, Waiver and Consent No. 2009019893801 (Nov. 21, 2011)
Basic Lesson No. 4: Encrypt confidential information on mobile devices or, at a minimum, have the ability to wipe remotely the device. A company must verify that its policies and procedures are being followed by its employees.
Facts: Among other compliance issues, the FINRA letter notes that a laptop computer containing names, account numbers, Social Security numbers, addresses, telephone numbers and other investment data of over 37,000 customers was stolen from the car of an employee. The letter also noted that the employee who lost the laptop computer continued to have access to customer information after he was terminated by the firm but employed by an affiliate.
- Inadequate Policies and Procedures Regarding Encryption. Written procedures regarding Regulation S-P were generic as they required employees to secure all nonpublic financial information. The firm’s encryption policy required that only nonpublic financial information communicated to third parties be encrypted. There was no requirement that data contained on a firm laptop computer or confidential customer information shared with an affiliate be encrypted. Regular computer system audits did not include laptop computer security.
- Weak Password Protocols. There was no enforcement of the use of strong passwords through periodic password changes or forced password expiration.
- Sanctions. Censure and $300,000 fine.
In the Matter of Department
of Enforcement vs. Dante J. DiFrancesco, Complaint No. 2007009848801 (Dec.
Basic Lesson No. 5: Employees need to understand that confidential client information is not theirs to take to a new employer. Privacy regulations require, among other things, that before any nonpublic personal information of a client is disclosed to a non-affiliated third party (like a new employer), a client must be provided with a reasonable opportunity to opt out of the disclosure.
Facts: Mr. DiFrancesco, prior to terminating his employment with Banc of America Investment Services Inc. (BAIS) and without authorization from BAIS or its customers, downloaded onto a flash drive in excess of 36,000 customer names, account numbers and telephone numbers, and forwarded the information to his new employer. He had intended to download only his approximately 200 clients.8
- Downloading and Transmission of Customer Personal Information to Competitor Triggers Privacy Violations. DiFrancesco violated Regulation S-P by downloading and sending to a nonaffiliated third party nonpublic personal information. Regulation S-P, among other things, requires broker-dealers to provide consumers the reasonable opportunity before any nonpublic personal information is disclosed to a nonaffiliated third party to opt out of the disclosure.
- Sanctions. Fined $10,000 and suspended for 10 business days in all capacities.
D.A. Davidson &
Co., FINRA Letter of Acceptance, Waiver and Consent No.
200815299801, (Apr. 9, 2010)
Basic Lesson No. 6: Consider defense in depth for confidential information - encryption, password protection and segregation from third party accessible resources, to name a few. Monitor your computer network for unauthorized users, connections, devices and software.
Facts: A computer that housed a Web server with a persistent Internet connection also housed a database containing confidential customer information such as account names, account numbers, dates of birth and Social Security numbers. The database was not secured by password and not encrypted. Through hacking by use of a structured query language (SQL) injection,9 the confidential information of 192,000 customers in the database was exfiltrated. The SQL injection attacks were visible on Web server logs, but logs were not monitored. The firm learned of the breach when the perpetrator demanded a sum of money in furtherance of the extortion scheme.
- Inadequate Policies and Procedures. The firm lacked (1) written procedures for review of system Web server logs10 and (2) a policy for responding to intrusions.
- Failure to Adopt a Recommendation by an Independent Auditor and Outside Security Consultant That the Firm Implement an Intrusion Detection System. While the firm employed an outside security consultant to audit network security and make recommendations, the recommendation to employ an intrusion detection system had not been implemented by the time the computer hack occurred.
- Poor Computer Security Protocols. D.A. Davidson failed to encrypt a database containing nonpublic customer information, even though it was exposed to the Internet. D.A. Davidson also failed to require a password to access a firm database containing nonpublic customer information.
- Sanctions. Censure and fine of $375,000.
Inc., FINRA Letter of Acceptance, Waiver and Consent No.
2007009780901, (April 28, 2009).
Basic Lesson No. 7: Strong password protocols are essential. Have a procedure in place so that your employees know what actions to take in the event of a computer security breach. Even anonymous tips regarding computer security breaches should be given serious consideration.
Facts: Centaurus set up a computer fax server using a third-party service provider so that its brokers could send computer-related account documents that included Social Security numbers, addresses and account numbers to the trading and operations department of the home office. Upon being warned by an anonymous third party that the security of its computer fax server was compromised, and that it hosted a phishing site11 and exposed confidential information to the public, Centaurus did not act on the warning until two customers, who were also notified by the anonymous third party, contacted Centaurus about the breach. Subsequently, Centaurus mailed inaccurate data breach notification letters to its customers and registered representatives.
- Inadequate Supervisory System and Procedures. Centaurus improperly configured its firewall and used poor password protocols, including a user name of “Administrator” and password of “password,” which allowed unauthorized individuals on the Internet to connect to the computer fax server and access all the images stored on the computer fax server.
- Inadequate Response to Security Breach. While Centaurus was warned by an anonymous third party that the computer fax server had been compromised and was hosting a phishing site, Centaurus did not take any action until two customers, who were also warned by the anonymous third party that their confidential information was accessible, had their registered representatives complain to Centaurus about the breach.
- Inadequate Investigation. Centaurus limited its review of the computer fax server logs to the month of the breach rather than reviewing for unauthorized access going back to when the computer fax server was installed.
- Sanctions. Censure and fine in amount of $175,000.
Additional Lessons to Be
The following bullet points summarize some additional lessons to be learned from the foregoing regulatory actions and suggest some action items and questions to ask about your company’s own cybersecurity practices.
- Periodically review and reassess your
company’s data privacy and computer security policies and procedures, as well as
how they are communicated to your employees and implemented.
- Are policies and procedures sufficiently detailed so that employees understand their obligations and responsibilities under the policies and procedures?
- Does your company verify that employees are following policies and procedures after they are adopted?
- Are your employees’ actual practices consistent with the policies and procedures?
- Are consequences for employee non-compliance with policies and procedures severe enough to deter non-compliant behavior?
- Are policies and procedures staying up to date with technological advances?
- Does your company require employees to practice computer security best practices (e.g., use passwords with a mix of uppercase and lowercase letters, numbers and symbols)?
- Is information that needs protection secure? Has your company considered the mobility of that information and its security?
- Are computer systems and related access points tested and monitored?
- Are employees aware of the proper way to dispose of information that is no longer required to be held?
- Periodically review and reassess your
company’s employee education/training programs.
- Do your employees understand what your company’s compliance policies and procedures require them to do?
- Does your company solely rely on written materials to inform employees of their compliance obligations or are training programs offered to review and explain those obligations?
- Are employees aware of the various computer threats so they can be recognized when they occur?
- Periodically review and reassess your
company’s preparedness to handle a computer security breach.
- Is your company prepared to move quickly to remediate in the event of a computer security breach?
- Is your company’s IT staff sufficiently trained to recognize a security breach when it occurs and to act quickly to remediate?
- Does your company have a team already established that can begin to deal with a security breach as soon as it is discovered?
- Is the leader of the security breach team granted sufficient authority so that decisions made by the team may be quickly executed?
- Does your company conduct periodic “fire drills” or other exercises to test the preparedness of your company’s staff in the event of a security breach?
- Review and reassess the data privacy and
computer security policies and procedures as they relate to third
- Do your company’s employees understand under what circumstances proprietary or confidential personally identifiable information can be provided to third parties?
- Does someone in your company keep track of third parties who receive confidential or proprietary information?
- Are third-party data privacy and computer security policies and procedures assessed before information is provided to such third parties?
Is Your Company Prepared to Meet the Challenges Posed by
The number, frequency and sophistication of cybersecurity incidents increases with each passing year. Computer security threats are growing and so is regulatory scrutiny of practices adopted by companies to address these threats. Do the answers to the foregoing questions give you comfort that your company is satisfactorily positioned to address computer threats and related regulatory inquiries about your company’s cybersecurity preparation, or do they indicate that additional preparation is needed to address cybersecurity threats?
With offices in New York, Philadelphia and Washington, D.C., Stradley Ronon provides sophisticated, pragmatic comprehensive legal services and capabilities to domestic and international clients in areas such as financial services, securities regulatory investigation and enforcement, structured finance and derivatives, private equity and hedge funds, health care and energy, among other areas. The firm maintains one of the premier investment management practices in the United States, representing investment company clients with more than 1,000 separate funds and assets under management approaching $2 trillion, including several of the largest investment company complexes in the country. Partner Ken Greenberg counsels investment companies, investment advisers and broker-dealers on regulatory matters relating to separate accounts and pooled investment products, including registered and unregistered and open- and closed-end investment companies. He can be reached at firstname.lastname@example.org or 215.564.8149.
- See Ellen Messmer, “The Worst Data Breach Incidents of 2013,” (Jan. 8, 2014), http://www.networkworld.com/slideshow/135100/the-worst-data-breach-incidents-of-2013.html; Tony Bradley, “Why 2013 was the Year of the Personal Data Breach,” (Dec. 26, 2013), http://www.pcworld.com/article/2082961/why-2013-was-the-year-of-the-personal-data-breach.html.
- “2013 Data Breaches,” Identity Theft Resource Center (Feb. 20, 2014), http://www.idtheftcenter.org/ITRC-Surveys-Studies/2013-data-breaches.html/
- 2014 Data Breach Investigations Report at p. 2 and p. 6.
- FINRA regulatory actions also include citations involving Rule 3010 (failure to supervise) and Rule 2010 (failure to conduct high standards of commercial honor and just and equitable principles of trade). In contrast, the Federal Trade Commission, another regulator in the privacy and data security field, uses its authority to police unfair and deceptive trade practices as a means to enforce companies’ privacy policies and address cybersecurity issues.
- Gramm-Leach-Bliley Act of 1999, Public L. No. 106–102, 113 Stat. 1338, Nov. 12, 1999.
- Generally, in SEC orders instituting administrative cease and desist proceedings and FINRA letters of acceptance, waiver and consent, the party involved neither admitted nor denied the findings contained in the regulatory action.
- In related enforcement actions, the president of GunnAllen Financial Inc., Frederick O. Kraus, and National Sales Manager David C. Levine were each censured and fined $20,000 for improperly transferring customer records to another firm (i.e., personal nonpublic information was supplied to another firm without proper client notice and without providing the client with a reasonable opportunity to opt out of the transfer) in connection with the winding down of GunnAllen’s business operations. In the Matter of Frederick O. Kraus, Release Nos. 34-64221 (April 7, 2011) and In the Matter of David C. Levine, Release No. 34-6422 (April 7, 2011).
- See also In the Matter of NEXT Financial Group Inc., Release No. ID-349 (June 18, 2008). SEC administrative law judge fined NEXT Financial $125,000 for permitting registered representatives who were leaving the firm to take confidential personally identifiable information and encouraged registered representatives from other firms who were recruited to join NEXT Financial to bring confidential personally identifiable information to NEXT Financial.
- An SQL injection is an attack whereby computer code is repeatedly inserted into a Web page for the purpose of extracting information from a database.
- D.A. Davidson did monitor perimeter security logs, but the attacks were not visible on such logs.
- The fax servers were being used to host a counterfeit eBay Web page in connection with a mass email sent that had a link to the counterfeit website, which requested an update of personal information.