Exclusive: Anatomy Of A Brokerage IT Meltdown

Regulators last year issued the SEC's first-ever privacy fine against broker-dealer GunnAllen for failing to protect customer data. But former IT staffers say regulators didn’t seem to know half of this cautionary tale of outsourcing and oversight gone wrong.
In the bigger picture, it's unclear where the SEC was during all of this activity. "How is it that GunnAllen was an examined entity and they had no security policy?" said independent privacy expert Andrew M. Smith, an attorney at Morrison & Foerster. "Say you're 25 years old, recently graduated college, you're an SEC inspector, what's the first thing you're going to do? You're going to ask for their policies and procedures, and when you see that it takes up less than a quarter of a page, there's going to be something wrong."

Of course, that perspective assumes that the SEC or FINRA had in fact audited GunnAllen's compliance. "Is it possible that they never examined this broker-dealer? If so, that's fair enough," Smith says. In fact, it's not clear if FINRA or the SEC ever audited GunnAllen's policies before they began their relevant enforcement actions, or whether the additional security violation revelations detailed by Sago in mid-2011 might lead the agencies to reopen their investigation.

Officials at both FINRA and the SEC declined to comment on any examinations or audits their agencies may have conducted of GunnAllen. But FINRA's publicly accessible records for GunnAllen make no mention of the agency having audited or examined the company before evidence of the Ponzi scheme emerged.

What could have been done to help the SEC spot brokerages with poor IT policies? In 2008, the agency proposed amendments to Regulation S-P, also known as the Safeguard Rule, to increase customer data protection requirements for the businesses it regulates. According to Chris Wolf, an attorney who directs law firm Hogan Lovells' privacy and information management practice, these include requiring "a written security program, identification of specific employees to run it, identification of documentation for reasonably foreseeable security risks, as well as implementation of safeguards for managing those risks, as well as training, oversight, and so on, including for providers." Wolf added, "It would also have a data breach notification obligation, which currently does not exist."

But those proposed amendments have remained stalled since they were first proposed in March 2008. An SEC spokeswoman declined to comment on the status of the proposed Reg S-P amendments, or whether the agency is still backing them.

Life After GunnAllen

Knowing what they now know, would the Revere Group IT employees who worked at GunnAllen have done anything differently? "Things probably should have been told directly to GunnAllen, but we were in such fear of keeping our jobs," Lynott said. "Looking back and thinking back now, I probably would have gone back and told the GunnAllen people. But they may already have known."

Ultimately, Lynott said, he quit The Revere Group. "I got to the point where I morally couldn't go to work anymore," he said. One week after he left, he heard that the network engineer who'd allegedly sabotaged the IT systems was fired.

Saccavino, meanwhile, said he suspects GunnAllen had no idea what was happening in the IT department. "They weren't told the whole truth, and I don't think they were told even part of the truth," he said. "Shame on them for not having a check and balance in place, but you can't blame them for being the victim."

Smith, the privacy expert, offered four takeaways for any company that outsources its IT department: "One, you need to do your due diligence up front so you know that your service provider can keep this safe. Two, you need to have contractual obligations that allow you to keep this data safe, and audit that. Three, monitor so you know it's safe. And four, if there's unauthorized access, have your service provider notify you promptly."

Benchmarking normal activity and then monitoring for users who stray from that norm is an essential strategy for getting ahead of potential data and system breaches. But choosing the right tools is only part of the effort. Without sufficient training, efficient deployment and a good response plan, attackers could gain the upper hand. Download our Fundamentals Of User Activity Monitoring report. (Free registration required.)