21 August 2017
Find out more

SEC fines broker-dealer $100,000 over computer security failures

20 October 2009  |  7788 views  |  0 cash

US broker-dealer Commonwealth Financial Network has been fined $100,000 for failing to insist its registered representatives maintain anti-virus software on their computers. The failure led to an intruder gaining access to the firm's Intranet, accessing customer accounts and entering unauthorised purchase orders worth over $523,000.

According to an SEC cease and desist order - first published by ZDNet - an intruder used a computer virus in November 2008 to obtain the login credentials of a Commonwealth registered representative.

Some time later that month, the intruder used the login credentials to enter Commonwealth's Intranet site and view information on how to execute trades.

Approximately a week later, the intruder used the same details to enter the trading platform before running a search query for the Commonwealth registered representative's customer accounts with cash balances in excess of a certain amount, generating a list of 368 accounts.

By doing so, the intruder had access to the account name, account number, account registration type, account net worth, cash balance, and the last four digits of the account owner's Social Security number for all 368 accounts.

The same day, the intruder placed, or attempted to place, eighteen unauthorised purchase orders for the common stock of one publicly-traded company in eight of the 368 customer accounts identified, totalling over $523,000 of purchases.

The SEC says Commonwealth's clearing broker-dealer detected the move within ten minutes and the intruder was blocked from further trading. The firm immediately cancelled the purchases and transferred them into its error account, absorbing a net loss of approximately $8000, and reported the incident to the Commission staff. It also notified the owners of the 368 accounts.

However, the SEC says Commonwealth was in violation of rules requiring broker-dealers to adopt written policies and procedures "reasonably designed to protect customer information".

Commonwealth recommended that representatives installed anti-virus software on computers used to access account information on the company's Intranet and trading platform, but did not require it.

"As a result, Commonwealth's customer information was left vulnerable to unauthorised access," says the SEC.

In addition, the firm failed to put in place procedures to adequately review its registered representatives' computer security measures. In particular, internal auditors did not audit branch office computers to determine whether anti-virus software was installed, or have procedures in place to follow up problems.

The SEC has censured Commonwealth and the company has been told to pay a civil penalty of $100,000 to the US Treasury.

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Finra fines Citi $600,000 for weak trade supervision

Finra fines Citi $600,000 for weak trade supervision

13 October 2009  |  4881 views  |  0 comments
Banks face legal challenge to disclose phished account details

Banks face legal challenge to disclose phished account details

26 August 2009  |  5019 views  |  0 comments
ID theft malware soars 600% - PandaLabs

ID theft malware soars 600% - PandaLabs

20 August 2009  |  5538 views  |  0 comments
Macs target for phishing trojan

Macs target for phishing trojan

02 November 2007  |  6499 views  |  0 comments
US consumers lose billions to online scams

US consumers lose billions to online scams

07 August 2007  |  9070 views  |  0 comments

Related company news

 

Related blogs

Create a blog about this story (membership required)
visit www.dorsum.euvisit www.niceactimize.comdownload the paper now

Top topics

Most viewed Most shared
Mobile contactless spending accelerating in UKMobile contactless spending accelerating i...
10511 views comments | 24 tweets | 23 linkedin
Norwegian banks and startups form fintech clusterNorwegian banks and startups form fintech...
8782 views comments | 19 tweets | 23 linkedin
hands typing furiouslyWhy Is Risk Analytics Important?
8647 views 0 | 3 tweets | 1 linkedin
RBS to bring Silicon Valley to EdinburghRBS to bring Silicon Valley to Edinburgh
8448 views comments | 10 tweets | 7 linkedin
Barclays pairs banking data with third party apps for SmartBusiness DashboardBarclays pairs banking data with third par...
7965 views comments | 17 tweets | 16 linkedin