Cybersecurity Violations Result in $2.1 Million Penalty
SEC RELEASES
Introduction
A corporation was charged by the SEC on June 18th, 2024, for Cybersecurity Failures relating to control and procedure failures, along with disclosure violations, resulting in a $2.125 million penalty.
Cybersecurity is one of the top priorities for the SEC, and Firms will continue to face penalties if they do not implement proper controls to avoid cybersecurity incidents.
What Happened?
- Between 2009 and 2022, this company was required to file Forms 10-K annually and Forms 10-Q quarterly under the Exchange Act.
- This company’s information network stored and transmitted sensitive data of SEC-registered firms, healthcare organizations, publicly traded companies, and financial institutions.
- From November 2021 to January 2022, the internal intrusion detection system would issue a high volume of complex alerts that the Third-Party Security Service Provider had the responsibility of reviewing and escalating as needed.
- The Third-Party Provider was not reasonably managed to ensure the proper allocation of resources were provided, and a reasonably designed workflow with risk prioritization was not created in the contract.
- Due to other responsibilities of the staff members who did receive escalations from the Third-Party Provider, there was an insufficient amount of time dedicated to addressing risk alerts.
- A ransomware attack occurred, and escalated alerts were provided to staff indicating that:
- Activity was taking place on multiple computers.
- There was a broad phishing campaign.
- The malware could facilitate remote execution of arbitrary code.
- Encryption software was installed by the threat actors, and 70 GB of data was exfiltrated from the system.
- Active response began on December 23rd, 2021, with a rapid and extensive response operation that involved prompt notification to clients, state agencies, and federal agencies.
Vigilant’s Conclusion
It is worth noting that the company did cooperate throughout the investigation by self-reporting and providing key information during the investigation without requesting subpoenas.
This incident highlights not only the importance of cybersecurity for Firms, but also the importance of properly supervising of any Third-Party Providers.
If you have any questions about your cybersecurity program, reach out to us for a gap analysis to help assess your Firm’s risks.