Well, this is kind of surprising. I've heard of how companies are penalized for not having used data encryption on computers with sensitive data, but this is probably the first time I've heard of an instance where the same was done for not using antivirus software.
According to zdnet.com, the SEC has recently levied fines of $100,000 (payable to the US treasury. Random thought: maybe the US could make a dent on their debts by policing data breaches?) to Commonwealth Financial Network because they failed to require that their reps use antivirus software. Instead, the broker-dealer merely recommended its use. The implication is that, in the SEC's opinion, if the company had mandated the use of antivirus software, it would have caught the presence of a keystroke-logging virus, effectively negating what would be unauthorized purchases of stock. (The hacker targeted only one stock, buying up $523,000 worth of shares. I guess he must have purchased stock beforehand, and was looking to run up the price before pulling out with a big profit. Thankfully, the ruse was caught and most of the orders reversed, with Commonwealth suffering a loss of $8,000.)
According to zdnet.com, the SEC has recently levied fines of $100,000 (payable to the US treasury. Random thought: maybe the US could make a dent on their debts by policing data breaches?) to Commonwealth Financial Network because they failed to require that their reps use antivirus software. Instead, the broker-dealer merely recommended its use.
The implication is that, in the SEC's opinion, if the company had mandated the use of antivirus software, it would have caught the presence of a keystroke-logging virus, effectively negating what would be unauthorized purchases of stock.
(The hacker targeted only one stock, buying up $523,000 worth of shares. I guess he must have purchased stock beforehand, and was looking to run up the price before pulling out with a big profit. Thankfully, the ruse was caught and most of the orders reversed, with Commonwealth suffering a loss of $8,000.)
...although, upon my reading of the SEC's cease-and-desist order, the antivirus software does seem to figure in heavily. However, it could be said that the fine was levied-- and I opine, rightly so--because Commonwealth did not have adequate data safety policies in place. Under the heading of "Commonwealth’s Failure to Safeguard Customer Information and Inadequate Response to Known Deficiencies and Anticipated Security Threats," the SEC has highlighted how the company failed in sticking to the "Safeguards Rule," as the following entry clearly shows: "...prior to the November 2008 intrusions...IT help desk received several calls from the Commonwealth registered representative whose computer was hacked into...indicating that the registered representative’s computer system had been compromised by a software virus...order ticket maintained by Commonwealth’s IT help desk...notes that Commonwealth’s help desk was unable to detect antivirus software on the registered representative’s computer and therefore recommended the registered representative obtain antivirus software...One day prior to the first known intrusion in early November 2008, the same registered representative again called Commonwealth’s IT help desk to report additional computer problems and the help desk employee noted that the registered representative’s computer “has a major virus” and told him to take the computer to his local computer technology person to have it repaired. The registered representative brought his computer to his local technology person that afternoon, although by this time the intruder was already in possession of the login credentials necessary to access the representative’s Commonwealth customer accounts." [emphases mine. From the SEC's cease-and-desist order, SECURITIES EXCHANGE ACT OF 1934 Release No. 60733 / September 29, 2009] In other words, Commonwealth allowed the problem to fester, and now look what happened. The lack of antivirus software is mentioned at least nine times in the C&D, so it figures prominently. However, the fine was undoubtedly levied for the inadequacy of the data security policies and processes at Commonwealth. Even if that one sales rep had happened to have all the necessary computer security hardware and software in place--antivirus like Sophos, encryption like AlertBoot, firewalls from Cisco, etc.--there was a disaster waiting to strike the broker-dealer.
...although, upon my reading of the SEC's cease-and-desist order, the antivirus software does seem to figure in heavily. However, it could be said that the fine was levied-- and I opine, rightly so--because Commonwealth did not have adequate data safety policies in place.
Under the heading of "Commonwealth’s Failure to Safeguard Customer Information and Inadequate Response to Known Deficiencies and Anticipated Security Threats," the SEC has highlighted how the company failed in sticking to the "Safeguards Rule," as the following entry clearly shows:
"...prior to the November 2008 intrusions...IT help desk received several calls from the Commonwealth registered representative whose computer was hacked into...indicating that the registered representative’s computer system had been compromised by a software virus...order ticket maintained by Commonwealth’s IT help desk...notes that Commonwealth’s help desk was unable to detect antivirus software on the registered representative’s computer and therefore recommended the registered representative obtain antivirus software...One day prior to the first known intrusion in early November 2008, the same registered representative again called Commonwealth’s IT help desk to report additional computer problems and the help desk employee noted that the registered representative’s computer “has a major virus” and told him to take the computer to his local computer technology person to have it repaired. The registered representative brought his computer to his local technology person that afternoon, although by this time the intruder was already in possession of the login credentials necessary to access the representative’s Commonwealth customer accounts." [emphases mine. From the SEC's cease-and-desist order, SECURITIES EXCHANGE ACT OF 1934 Release No. 60733 / September 29, 2009]
In other words, Commonwealth allowed the problem to fester, and now look what happened.
The lack of antivirus software is mentioned at least nine times in the C&D, so it figures prominently. However, the fine was undoubtedly levied for the inadequacy of the data security policies and processes at Commonwealth. Even if that one sales rep had happened to have all the necessary computer security hardware and software in place--antivirus like Sophos, encryption like AlertBoot, firewalls from Cisco, etc.--there was a disaster waiting to strike the broker-dealer.
Related Articles and Sites:http://blogs.zdnet.com/security/?p=4653http://www.sec.gov/litigation/admin/2009/34-60733.pdf