A broker-dealer firm in Colorado has agreed to pay $1.5 million to settle charges with the SEC that the firm failed to file suspicious activity reports about cybersecurity thieves trying to take over customers’ accounts. It’s a sobering example of how weak cybersecurity controls can spill over into regulatory compliance trouble.
The firm in question is GWFS Equities, an affiliate of Great-West Life & Annuity Insurance. GWFS manages 401(k) plans that corporations offer to their employees. As such, GWFS deals with retail-level investors viewing their retirement plan balances, executing trades within their accounts, and so forth. It’s a consumer-facing business, which means its cybersecurity risks are high.
So what happened? According to the SEC settlement order, from 2015 to 2018 GWFS knew about increasing efforts by attackers to gain control of those individual retirement accounts — some of which succeeded. Broker-dealers are supposed to file suspicious activity reports to regulators when such attacks happen. But in at least 130 instances GWFS didn’t file those required SARs, and another 300 SAR filings didn’t contain all the information broker-dealers are supposed to include.
We have two interwoven threads to unravel here: what cybersecurity failures allowed the attackers to gain access to customer accounts; and what AML compliance failures led GWFS to file incomplete (or wholly absent) SARs?
Cybersecurity Disclosure Duties
As far back as 2011, FinCEN issued guidance to financial firms warning about the threat of attackers taking over customer accounts through cybersecurity breaches.
That guidance also spelled out instructions for reporting account takeovers, and stressed the importance of including relevant data: URL addresses, IP addresses, timestamps, email addresses, and other identifying information. It even went so far as to explain which boxes a firm should check on the Suspicious Activity Report, depending on whether the takeover attempt involved computer intrusions, telephone calls, unauthorized access to PINs, and so forth.
First, then, nobody can say broker-dealer firms are unaware of their duties or unsure of what they’re supposed to include in a SAR. The guidance is clear and specific. And in this specific case, the SEC settlement order even says GWFS knew that account takeovers should be reported to FinCEN and had all the trappings of an AML compliance program that you’d expect to see.
Second, all that detail in the FinCEN is a good reminder about what data you should try to capture during an account takeover attempt. One hopes that large financial firms already have security software that logs all those details; the tricky compliance question is to assure that you can extract that data from the security logs and include it whatever SAR you’re going to file.
The Cybersecurity Issues
The SEC gave a few examples of how the account takeovers worked. One incident happened in December 2016, when a GWFS customer received a $43,000 check for a distribution he’d never requested.
An internal investigation found that the customer’s personal information had been changed without his knowledge, and the account had been accessed using an IP address that GWFS had identified in connection with another account takeover. (The customer only received the check because the fraudster was too late trying to intercept it at a package delivery facility.) In total, nine accounts connected to that customer’s employer were improperly accessed in the same period and with a similar pattern of activity.
Another incident happened earlier that year, where a customer reported an unauthorized $128,000 withdrawal from his account. GWFS investigated and found that someone had called the GWFS customer service center and impersonated the customer, and duped employees into allowing the withdrawal. The true customer didn’t notice the missing funds until he checked his account the following month. GWFS later identified various bank accounts and phone numbers associated with the fraudster.
Clearly we can praise GWFS’s investigations team. That group identified plenty of relevant details: phone numbers, IP addresses, names and businesses associated with those phone numbers and IP addresses, suspicious bank accounts, and the like. The group also identified how the scams worked, and even patterns within the customers the fraudsters were targeting.
That said, we have some points to ponder here about user access controls. We’ve all encountered challenge questions from our banks when logging into online banking, but with the theft of personal data now so rampant, challenge questions and password reset policies may no longer be sufficient for the risk of account takeovers and other frauds. (Indeed, the SEC has dinged other firms for their poor access control and password reset protections.)
I’ve long been a proponent of multi-factor authentication for user access control, where the IT system sends a temporary access code to your cell phone that you need to enter into the website, or something like that. GWFS just underlines how important such security controls are in a world where personal data is so easily stolen.
The Compliance Issues
We still have these AML compliance and SAR filing failures to consider. For at least 130 cybersecurity incidents that happened, GWFS just didn’t file the required SAR. Here’s an excerpt of what the SEC had to say about that account takeover with the $128,000 withdrawal:
GWFS’ BSA officer and SAR committee reviewed the investigative reports of [the] account takeover and determined that a SAR should be filed, but GWFS did not take further steps to ensure a SAR was filed. As a result, GWFS did not file a SAR concerning [the] account takeover.
So GWFS had clear evidence that it should file a SAR, but didn’t. We don’t know why. And that failure happened repeatedly over a three-year period.
The SEC also identified 297 incidents of incomplete SARs. In plenty of instances, the SEC said, GWFS “often possessed specific, detailed information about the underlying suspicious activity” because its investigations were so thorough. But the SARs that GWFS actually filed contained boilerplate information that said:
The participant’s account was taken over by an unauthorized individual who used all of their personal information to authenticate as the participant. It is unknown whether or not there is any related litigation with this SSN. It is unknown whether or not foreign nationals are involved in this activity. It is unknown whether or not the IRS has been contacted. All information is contained in this report.
Like, that was the SAR filing even when GWFS knew details such as suspects’ IP addresses, email addresses, names, and bank accounts; and provided those details to the AML compliance team and an SAR review committee. And this happened nearly 300 times.
The good news is that eventually GWFS overhauled its AML compliance program, including the following steps:
- implementing new SAR drafting procedures;
- retaining an outside AML consulting firm to review and recommend enhancements to its SAR processes;
- increasing the size and experience of its AML compliance team;
- restructuring its SAR process for greater accountability and quality control;
- implementing a new case management system to track all reports of unusual activity from initial intake through SAR decision and SAR filing; and
- substantial cooperation during the investigation
Among all those points, I value No. 5 as most important: a case management system that tracks unusual security and ties that activity to your SARs compliance duties. That’s how you break down silos and assure that your compliance program actually works, rather than just exists on paper.
Anyway, all that work whittled GWFS’s penalty down to $1.5 million plus a censure. GWFS, like any self-respecting company, neither confirms nor denies the allegations in the SEC order.