In what appears to be the first enforcement action of its kind, the Securities and Exchange Commission in May fined broker-dealer GWFS Equities Inc. $1.5 million for failing to file 130 suspicious activity reports (SARs)—and including insufficient information in 297 SARs it did file. The settlement involved cybercriminals’ attempts to gain access to accounts using improperly obtained personal identifying information (PII).
Notably, the enforcement action was not the result of GWFS failing to disclose or report a cyber intrusion into its networks. The SEC acknowledged GWFS’s strong cybersecurity efforts. Rather, the cybercriminals obtained customer electronic login information, such as user names, email addresses, and passwords, through attacks on the customers themselves and/or third parties.
GWFS’s detection and prevention of most of the attempted takeovers before the bad actors could obtain funds was apparently not sufficient to satisfy GWFS’s anti-money laundering and Bank Secrecy Act (AML/BSA) obligations.
Cybersecurity Is a Federal Priority
President Joe Biden, SEC Chairman Gary Gensler, and the SEC’s Division of Examinations have all highlighted cybersecurity as a priority. Recent high-profile cyber events will no doubt amplify federal scrutiny, and the SEC may take a leading role by ensuring financial institutions file SARs to alert law enforcement to potential risks.
The SEC first asserted itself as a regulator of AML/BSA violations in 2007. Over the past few years, the SEC has increasingly affirmed its jurisdiction to enforce the BSA and police SAR filings under sections of the Securities Exchange Act of 1934 that require broker-dealers to comply with reporting, record keeping, and record retention requirements.
The SEC has also increased enforcement of violations of Rule 30(a) of Regulation S-P, which requires that broker-dealers, investment companies, and investment advisers adopt reasonably designed policies and procedures to protect against unauthorized access to, or use of customer PII.
While there is some question about the SEC’s authority to enforce regulations of the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), at least one case cited in the GWFS settlement order has held that the SEC does have the authority to enforce the SAR provisions of the BSA under Rule 17a-8.
Action Signals Intention to Enforce SAR Guidance
The SEC’s GWFS enforcement action underscores that regulators intend to enforce cyber-related SAR guidance that has flown under-the-radar over the past decade.
In 2011, for example, FinCEN issued an advisory regarding cyber-enabled account takeover activity. FinCEN provided further cyber-event and cyber-enabled crime guidance and FAQs in 2016. According to FinCEN’s guidance, “Cyber-events targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.”
The SEC’s GWFS enforcement action and FinCEN guidance make clear that regulators expect entities subject to SAR reporting requirements to file detailed SARs whenever bad actors even attempt to access accounts containing at least $5,000 using improperly obtained customer PII regardless of whether the attempt is successful.
In addition, the SEC underscored that template narratives will not suffice. SAR narratives for account takeover attempts must include “the five essential elements of information—who? what? where? when? and why?—of the suspicious activity being reported” to satisfy regulatory requirements. For cyber-related SARs, these essential elements may include URL addresses, IP addresses and time stamps, email addresses, and other electronic identifying information.
SEC’s Increasing Focus on Cybersecurity Risks
While the GWFS order plows new ground with respect to cyber-related SAR requirements, it is consistent with the SEC’s increased focus on cybersecurity issues over the past several years. In 2018, the SEC emphasized that “it is critical that public companies take all required actions to inform investors about material cybersecurity risks.”
Recent enforcement actions concerning the sufficiency of disclosures show the agency’s commitment, and in August 2020, the commission updated its broader disclosure rules, requiring the disclosure of “material” risks and issues across an array of topics, potentially including cybersecurity.
The GWFS enforcement action represents a new consideration for companies as they examine the sufficiency of their own past reporting and consider revising public disclosures to appropriately disclose any new compliance costs and enforcement risks. And as noted above, both Gensler and the Division of Examinations, and the SEC as a whole, emphasized their focus on cybersecurity and ransomware issues in recent months, increasing the likelihood of further guidance and enforcement actions.
Companies should continue to carefully review their incident response and security monitoring plans to ensure that procedures are in place to document and share information necessary to support reporting obligations. Existing procedures may not adequately capture all relevant information and incidents whose reporting is now required, nor ensure that such information is shared internally with legal and compliance groups.
The GWFS action shows that maintaining robust cybersecurity defenses and preventing most intrusions is not sufficient to avoid penalty—appropriate reporting and disclosure is also essential. Only with careful review and expansion of internal practices can an entity ensure it is collecting and reporting sufficient information to meet the SEC’s expectations.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Kenneth Herzinger is a partner in Paul Hastings’ Investigations and White-Collar Practice in San Francisco, focusing on SEC investigations and enforcement actions, internal investigations, and securities class actions, including matters related to cryptocurrency and money-laundering. Prior to joining private practice, he served as an attorney in the SEC’s Enforcement Division.
Sherrese Smith is vice-chair of Paul Hastings’ Data Privacy and Cybersecurity practice, where she advises and counsels multinational companies across various jurisdictions (including the U.S., EU, and Asia) on data privacy and cybersecurity and breach response issues, including managing global privacy and information security risks and compliance matters in Washington,D.C.
Derek Wetmore is a litigation associate, advising companies and individuals in a range of civil and criminal matters involving U.S. securities laws, FCPA, Bank Secrecy Act and other laws.