No Multi-Factor Email Authentication Costs Three Advisers
The SEC fined three registered investment advisers for failing to stop email account takeovers resulting from phishing and credential stuffing.
The SEC faults the firms for having general policies about cybersecurity but failing to implement multi-factor authentication (MFA) as a security measure to stop email account takeovers. According to the SEC, the firms also failed to implement MFA quickly enough after learning of the hackings that exposed clients’ personal information. One firm was accused of misleading affected clients by implying that the breach was more recent. Although the SEC did note that the account takeovers did not result in any unauthorized trades or transfers, the SEC imposed fines of $300,000, $250,000 and $200,000 for violations of the Safeguards Rule (Rule 30(s) of Regulation S-P) and the compliance rule (206(4)-7). An SEC official warned, “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
All three cases cited the failure to implement multi-factor authentication. If you are not using MFA and you get hacked, you will have a difficult time defending that your cybersecurity policies are reasonably designed and implemented.