SEC Fines Broker-Dealer $1.5 Million for Failing to Report Hacking Attempts
The Securities and Exchange Commission has settled charges against GWFS Equities Inc. (GWFS), a Colorado-based broker-dealer and affiliate of Great-West Life & Annuity Insurance Company, for violating the federal securities laws governing the filing of suspicious activity reports.
The Securities and Exchange Commission has settled charges against GWFS Equities Inc. (GWFS), a Colorado-based broker-dealer and affiliate of Great-West Life & Annuity Insurance Company, for violating the federal securities laws governing the filing of suspicious activity reports.
GWFS, which provides services to employer-sponsored retirement plans, agreed to a $1.5 million penalty, censure, and an order to cease and desist from future violations, without admitting or denying the SEC’s findings.
According to the SEC, from September 2015 through October 2018, GWFS was aware of increasing attempts by external “bad actors” to gain access to the retirement accounts of individual plan participants.
The SEC claims that GWFS was aware that the bad actors attempted or gained access by using improperly obtained personal identifying information of the plan participants, and that they were frequently in possession of electronic login information such as usernames, email addresses, and passwords.
Broker-dealers are required to file suspicious activity reports for certain transactions suspected to involve fraudulent activity or a lack of an apparent business purpose.
The Treasury Department’s Financial Crimes Enforcement Network states that in order to be effective tools for law enforcement, the reports should include “the five essential elements of information – who? what? when? where? and why? – of the suspicious activity being reported.”
The SEC alleges that GWFS failed to file approximately 130 suspicious activity reports, including in cases when it had detected external bad actors gaining, or attempting to gain, access to the retirement accounts of participants in the employer-sponsored retirement plans it serviced.
Additionally, the SEC said that for the roughly 300 reports that were filed by GWFS, it did not include the “five essential elements” of information it knew and was required to report, including cyber-related data such as URL addresses and IP addresses.
“Across the financial services industry, we have seen a large increase in attempts by outside bad actors to gain unauthorized access to client accounts,” said Kurt Gottschall, director of the SEC’s Denver regional office. “By failing to file [suspicious activity reports] and by omitting information it knew about the suspicious activity it did report, GWFS deprived law enforcement of critical information relating to the threat that outside bad actors pose to retirees’ accounts, particularly when the unauthorized account access has been cyber-enabled.”
In determining to accept the settlement offer, the SEC took into account GWFS “significant” cooperation by with the investigation and subsequent remedial efforts, including adding a dedicated anti-money laundering staff and systems, replacing key personnel, clarifying delegation of responsibility for filing suspicious activity reports, and implementing new policies, procedures, standards, and training.
