On Tuesday, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) disclosed levied penalties of more than $1.71 billion from several Wall Street brokerage firms. The two regulators issued fines to 16 finance companies for failing to monitor the use of unauthorized messaging apps.
SEC’s disclosure sums up to a total of $1.11 billion of the $1.71 billion penalty while the remaining $661 million will go to CFTC. All of the 16 Wall Street majors such as Bank of America Securities, Goldman Sachs, Citigroup Global Markets, Morgan Stanley, Credit Suisse, Barclays, etc., were penalized.Â
SEC’s probe revealed that between January 2018 and September 2021, employees of the penalized companies used WhatsApp, personal email, and other unauthorized services on personal devices to communicate work-related matters. Beezy’s 2022 Digital Workplace workplace trends &Â insights highlighted thatÂ 32% of workers useOpens a new window unapproved communication and collaboration tools.
Personal devices and unauthorized tools pose a certain level of risk to the organizational data because they may not be as shielded from cyberattacks as company-secured devices. A company-issued device enforces corporate security policies, monitor networks access, can have USB connections disabled, and mobile device management solutions, etc., all of which fortify the device security.
On the other hand, a personal device may have an antivirus at the most and its owner could be well-versed with the basics of maintaining cybersecurity hygiene such as awareness of social engineering techniques, and technical knowledge pertaining to thwarting cyberattacks.
Yet, risks from humans were a significant factor behind 88% of the total $15 billion in losses in cybersecurity incidents over the last five years. Additionally, insider threat is another huge concern and is behind 30% of breaches, Verizon discovered in its 2020 Data Breach Investigations ReportOpens a new window .
Security aside, the 16 penalized companies also failed to adequately maintain records/logs of the communication, thereby hindering the regulators’ investigation.
â€œThe firms did not maintain or preserve the substantial majority of these off-channel communications, in violation of the federal securities law,â€ SEC noted. â€œThe failings occurred across all of the 16 firms and involved employees at multiple levels of authority, including supervisors and senior executives.â€
As such, the violators weren’t charged for lax security controls, though that is a significant concern, but for negligence in documentation. 15 of the 16 violators were charged under the Securities Exchange Act of 1934 while investment adviser DWS Investment Management Americas was charged for recordkeeping failure under the Investment Advisers Act of 1940.
Eight of the 16 companies were fined $125 million each by the SEC. Meanwhile, CFTC fined seven companies $75 million each. The CFTC singled out Bank of America Securities and issued its highest $100 million penalty, making the investment banker the biggest offender by the penalty amount.
JP Morgan settled with the regulators in December 2021Opens a new window with a similar $200 million fine broken down as $125 million to the SEC and $75 million to CFTC. This takes the total to $1.97 billion.
Gurbir Grewal, director of the SEC’s Division of Enforcement, said, â€œToday’s actions â€“ both in terms of the firms involved and the size of the penalties ordered â€“ underscore the importance of recordkeeping requirements: they’re sacrosanct. If there are allegations of wrongdoing or misconduct, we must be able to examine a firm’s books and records to determine what happened.â€
Morgan Stanley recently agreed to a $35 million fine by the SEC for â€œextensive failuresâ€ in its data security practices.