US broker-dealer Commonwealth Financial Network has been fined $100,000 for failing to insist its registered representatives maintain anti-virus software on their computers. The failure led to an intruder gaining access to the firm's Intranet, accessing customer accounts and entering unauthorised purchase orders worth over $523,000.
According to an SEC cease and desist order - first published by ZDNet - an intruder used a computer virus in November 2008 to obtain the login credentials of a Commonwealth registered representative.
Some time later that month, the intruder used the login credentials to enter Commonwealth's Intranet site and view information on how to execute trades.
Approximately a week later, the intruder used the same details to enter the trading platform before running a search query for the Commonwealth registered representative's customer accounts with cash balances in excess of a certain amount, generating a list of 368 accounts.
By doing so, the intruder had access to the account name, account number, account registration type, account net worth, cash balance, and the last four digits of the account owner's Social Security number for all 368 accounts.
The same day, the intruder placed, or attempted to place, eighteen unauthorised purchase orders for the common stock of one publicly-traded company in eight of the 368 customer accounts identified, totalling over $523,000 of purchases.
The SEC says Commonwealth's clearing broker-dealer detected the move within ten minutes and the intruder was blocked from further trading. The firm immediately cancelled the purchases and transferred them into its error account, absorbing a net loss of approximately $8000, and reported the incident to the Commission staff. It also notified the owners of the 368 accounts.
However, the SEC says Commonwealth was in violation of rules requiring broker-dealers to adopt written policies and procedures "reasonably designed to protect customer information".
Commonwealth recommended that representatives installed anti-virus software on computers used to access account information on the company's Intranet and trading platform, but did not require it.
"As a result, Commonwealth's customer information was left vulnerable to unauthorised access," says the SEC.
In addition, the firm failed to put in place procedures to adequately review its registered representatives' computer security measures. In particular, internal auditors did not audit branch office computers to determine whether anti-virus software was installed, or have procedures in place to follow up problems.
The SEC has censured Commonwealth and the company has been told to pay a civil penalty of $100,000 to the US Treasury.