In the last few years, cybersecurity, with an emphasis on protection of customer data, has topped the exam priorities and risk alerts of both the Financial Industry Regulatory Authority (“FINRA”) and the Securities and Exchange Commission (the “SEC”). And, as the global pandemic pushes the financial services industry into the second year of a work from anywhere business environment, the deployment and continued improvement of cybersecurity controls to secure customer and firm data are critical.
Perhaps it should come as no surprise that regulations underpinning cybersecurity practices are coming to the fore. A case in point is the announcement of FINRA’s letter of Acceptance, Waiver, and Consent (“AWC”) with Supreme Alliance LLC (“Supreme”) in December 2020 for violations of the SEC’s Regulation S-ID, also known as the identity theft red flags rule, and FINRA Rule 2010.[1] FINRA’s settlement with Supreme is significant as it potentially signals a more aggressive and meaningful focus on Reg S-ID, which saw its first major enforcement in 2018 when the SEC fined Voya Financial Advisors, Inc. $1 million for violating it as well as the SEC’s Reg S-P.[2]
This post will analyze the unique fact pattern of Supreme and offer practical suggestions for compliance officers navigating the nuances of identity theft protection and cybersecurity in this new, remote work world.
Supreme and Its Implications
Reg S-ID generally requires firms to implement identity theft prevention programs that include reasonable policies and procedures to detect, respond to, prevent, and mitigate identity theft in covered accounts.[3] Generally, “covered accounts” are those held for personal, family household purposes where there is a foreseeable risk of potential identity theft. The aim of Reg S-ID, then, is to protect the customer data held by financial and credit institutions by ensuring that firms have in place adequate policies and procedures to identify and safeguard against customer identify theft.
Supreme Alliance LLC is a FINRA-registered broker dealer headquartered in Germany, with four branch offices in the United States; its business mainly consists of the distribution of mutual funds and variable life insurance. In the case of Supreme, on April 18, 2018, both the CEO and CCO of the organization began receiving “hundreds” of email notifications that some of their messages “could not be delivered to a certain external email address.”[4] The CEO and CCO continued to receive these bounce back notifications during the next four months, but took no action on them. We should pause here to consider what this may have looked like for the impacted users—hundreds of emails piling up in inboxes every day for months without any inquiry into the root cause. Despite crowded inboxes and the proliferation of spam, the receipt of hundreds of notifications every day is a significant issue. Clearly, Supreme’s CEO and CCO were not ”inbox zero” adherents.
Four months later, on August 20, 2018, Supreme’s CEO and CCO contacted their third-party email vendor to notify them about the increased volume of bounce back messages. After Supreme’s email vendor investigated the CEO’s account, it was determined that “there was an automated rule set up on his firm email account that blind-copied all emails he received to the external email address.” Based on the vendor’s review, the reason for the blind-copy anomaly was that the email accounts of the firm’s CEO and CCO “had likely been compromised.”[5] The bounce back emails were, in fact, a warning signal that messages were being furtively blind copied to a third party hacker, and the inaction of the CEO and CCO served to prolong the incident.
It was ultimately determined that “17,000 emails were blind copied from Supreme Alliance’s CEO and CCO’s firm email account to the unauthorized external email address.” The contents of these compromised messages was highly problematic as “[a]t least 200 of the blind-copied emails contained identifying information relating to Supreme Alliance customers, including customers’ social security numbers, account numbers, driver’s license numbers, and dates of birth.”[6] The volume of impacted messages here—17,000 emails, over 200 with personal customer data and potentially other messages containing sensitive company information—is staggering.
Perhaps equally troubling from FINRA’s perspective was the fact that Supreme did not revise or revisit its identity theft policies and procedures following the incident and, furthermore, did not proactively report the issue. In fact, Supreme only considered remedial activity after FINRA learned about the hack almost a year later when its “staff inquired about email communications with this external email address during the firm’s 2019 cycle exam.”[7] Had FINRA not uncovered the anomaly during an exam, it would have gone wholly unreported.
Clearly, Supreme fell short of Reg S-ID’s mandates around the creation and maintenance of an identity theft red flags program. The issues were exacerbated by the CEO and CCO’s inaction when confronted with hundreds of unexplained emails each day as well as their failure to update the program following the incident or disclose the account compromise and data leakage to FINRA. Given FINRA’s recent guidance on credit for cooperation and the aforementioned focus on cybersecurity, Supreme’s failure to protect customer information, establish an identify theft program, and deploy appropriate information security controls failed to comply with Reg S-ID and FINRA Rule 2010. [8] As a result, FINRA fined Supreme $65,000, mandated the updating of its identity theft red flags program within six months, and required it to contact customers impacted by the hack within three months. While the monetary sanction pales in comparison to Voya, FINRA imposed three meaningful non-financial penalties on Supreme, including: notifying customers whose identifying information was impacted, revising its identity theft prevention program to address the shortcomings identified in the AWC, and enhancing the security of its email systems. The fact that additional remedial actions were included as part of the AWC demonstrates FINRA’s emphasis on the importance of the structure and operation of a firm’s Reg S-ID and security programs.
Practical Compliance Guidance
Supreme’s settlement should signal to compliance officers at registered broker-deals and investment advisers that strong cybersecurity programs, including identity theft components, are a worthy investment. As discussed briefly above, identity theft and cybersecurity are deeply intertwined, so I will consider them here in tandem.
From a foundational perspective, firms must have cybersecurity and identity theft policies and procedures that are meaningfully aligned to their unique product and services offerings, geographic scope, and technology footprint. FINRA highlighted this point in Supreme, noting that “generic policies and procedures” were not “tailored to the firm’s actual business model.”[9] This lack of rigor was evident across Supreme’s policies; as FINRA observed, “[f]or example, although the Program provided that the firm’s legal department would take an active role in investigating incidents of suspected identity theft, Supreme Alliance did not have a legal department.”[10]
Despite coming up constantly in FINRA and SEC regulation, the need to have policies tailored to the operational realities of your organization cannot be overstated. Policy failures in the realm of identity protection and information security can result in a cascading array of potential pitfalls from failing to appropriately identify and remediate security incidents to inadequate mechanisms for asserting legal privilege over incident-related communications. Put bluntly—compliance officers, in coordination with other key firm stakeholders in legal, information security, and IT, must ensure that policies are operationally relevant, refreshed periodically, and revisited in the event of material stressing factors like security incidents or other known vulnerabilities. Since compliance sits at the nexus of policy drafting and monitoring activities, it is essential that it coordinates with cybersecurity and legal teams to ensure that revised policy statements, new technical controls, and expanded oversight activities address relevant risks and adhere to privacy and regulatory mandates. Although compliance alone is not responsible for data protection or privacy failures, a critical part of its role is to understand risks and translate them for relevant business units, including technical teams, to ensure that a firm’s framework for documenting, responding to, and mitigating risks is sufficient.
Although this point is not explicitly addressed in Supreme, the deployment and ongoing maintenance of technical controls as the foundation of an effective identify theft prevention program should be part and parcel of any cybersecurity strategy. While it seems to be the case that Supreme’s third-party email vendor was able to identify the issue quickly, it is unclear if Supreme had other controls in place to identify account compromise. For example, were data loss prevention (“DLP”) controls in place for email? Did devices and accounts have strong password requirements and multifactor authentication enabled?
In our remote work world, employees access firm assets from personal machines and networks, so compliance and security teams must augment existing controls to address these new threat surfaces. One salient example is the rapid adoption of modern collaboration and chat applications like Zoom, Slack, Microsoft Teams, and Cisco Webex to conduct firm business. While these systems have provided the communication backbone of work from anywhere, new risks related to the potential sharing of customer and firm information over screen shares, web cams, file transfers, chat, and whiteboards must prompt a rethinking of the compliance and security policies and technical tools used to supervise these channels. A new crop of RegTech vendors offering DLP and privacy-enhancing protections for collaboration and chat platforms has emerged, and proactive compliance teams should use these tools to enhance their existing identity theft and cybersecurity toolkits.
Finally, compliance officers should focus on training and education to heighten awareness about potential data leakage and identity theft risks. To avoid training fatigue, these materials can be short, concise courses tailored to specific risks like remote work with actionable guidance so that employees know how to respond to a given situation. When combined with active phish testing, including remedial actions for anyone who fails phish tests, training is a powerful bulwark against potential predators.
Conclusion
Although Reg S-ID’s applicability to SEC- and Commodity Futures Trading Commission-regulated firms has only existed since the Dodd-Frank reforms of 2010, it is a broad and powerful regulatory framework that will see heightened focus as its intersection with cybersecurity becomes more pronounced and customer interactions migrate to digital channels. Regulated organizations need look no further than Supreme, the New York Department of Financial Services’ March 3, 2021 settlement agreement with Residential Mortgage Services, Inc., or other instances of business email compromise to understand that communication platforms are at the forefront of identity theft and cybersecurity risk. [11]
Compliance officers must be proactive in creating and maintaining organization-specific identify theft and cybersecurity policies, procedures, training, and technical controls to protect customer and firm data. In a work from anywhere world, firms must anticipate emerging risks and structure compliance programs to accommodate new technologies and office environments.
This article first appeared on Compliance & Enforcement by Marc Gilman.
Access the original article here!
