Click here to contact us
Home About Us Contact Us Register Free Opinion Articles Webinars Survey Help Your Clients   Report It Here

FC Professional
World Wide Web


In Focus #54: January 18, 2010


Piece by Piece


Delegation for Plan Sponsors


Mid-Year Review of Trusts and Estates


A Complex Game: The Life Settlement Process
Back to From Your Sponsor

Monetary Fine Illustrates Securities Regulator's Concern For Privacy of Customer Information


By James Eccleston

he Securities and Exchange Commission (SEC) recently fined a broker-dealer and investment adviser $100,000 for failing to protect the privacy of customer information. Let's examine what went wrong and how customers at the firm, Commonwealth Equity Services, LLP d/b/a Commonwealth Financial Network ("Commonwealth"), were exposed to an Internet pirate.

Preliminarily, Regulation S-P (known as the "Safeguards Rule") requires every firm registered with the SEC to adopt written policies and procedures reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

Commonwealth did have policies and procedures in place to safeguard customer records and information from intrusion, and it disseminated those policies and procedures to its financial advisers. Commonwealth likewise was aware that a computer virus might allow an unauthorized access to such records and information. As a result, the firm recommended as a best practice the use of antivirus software on all office computers. The problem, and the basis for the fine, was that Commonwealth did not require its financial advisers to use such antivirus software.

In November, 2008, an unauthorized party obtained the login credentials of a Commonwealth financial adviser who did not have antivirus software properly employed. Through the use of a computer (malware/keystroke logger) virus, this intruder was able to access Commonwealth's intranet and viewed information on how to execute trades. About one week later, the intruder gained access the same way, but this time the intruder ran a search query for the financial adviser's customers who had cash balances in excess of a certain amount. The computer generated a list of 368 accounts, and provided the intruder access to the customers' account name, account number, account registration type, account net worth, cash balance, and the last four digits of the account owner's Social Security number for all 368 accounts. On that same day, the intruder placed or attempted to place 18 unauthorized purchase orders for the common stock of one publicly-traded company in 8 of the 368 customer accounts identified, totaling over $523,000 of unauthorized purchases!

Fortunately, within 10 minutes of placing the trades, Commonwealth's clearing broker-dealer detected the activity and blocked the intruder from further trading. To its credit, Commonwealth immediately canceled the unauthorized purchases, transferred them to its "error account", absorbed losses of approximately $8,000, notified all 368 account holders, and reported the incident to the SEC.

In the course of its investigation, the SEC also found that Commonwealth did not have procedures in place to adequately review the computer security measures adopted by each of its financial advisers. At Commonwealth, each adviser is responsible for purchasing his/her own computer software and hardware and operates as an "independent contractor." The SEC determined that "Commonwealth's internal auditors did not audit branch office computers to determine whether antivirus software was installed, nor did Commonwealth have procedures in place to follow up on potential computer security issues uncovered during branch audits or when registered representatives contacted Commonwealth's information technology help desk for computer-related assistance."

Indeed, the SEC specifically faults Commonwealth for its failure to adequately address the virus complaints made two months prior to November, 2008 by the very same financial adviser whose computer was hacked by the intruder! When Commonwealth's IT help desk finally (in early November) told the adviser that he had a "major virus" and that he should take the computer to his local computer technology person to have it repaired, it was too late: the intruder already knew the financial adviser's login credentials.

The SEC concludes by finding that Commonwealth failed to adhere to the standards of the Safeguards Rule. The finding should send a chilling reminder to all financial services firms that their technology systems need to be current and effective in order to comply with Regulation S-P.

_______________________________________________________________________
About the Author:
James J. Eccleston is the president of Eccleston Law Offices, P.C. The Chicago-based firm represents investors and advisers nationwide in securities and employment matters. 312-332-0000 www.EcclestonLaw.com.















Sponsored by James J. Eccleston. This Web site contains material of general interest. It is neither intended to, nor constitutes, either legal advice or investment advice.
Always consult an attorney and/or investment adviser when building and protecting your wealth.

All content Copyright © 2010 Advocate Compliance Partners, Inc. except where noted. All rights reserved.

One North Franklin Street, Suite 2620, Chicago, IL 60606
Telephone 312-332-0000   |   Fax 312-332-0003