Unreported Cyberattacks on Retirement Accounts Lead to $1.5M SEC Fine for B-D

Cyberattacks on Retirement Accounts, Cyberattack SEC fine
Image credit: BigStock © Milkos

The Securities and Exchange Commission (SEC) on Wednesday announced settled charges against GWFS Equities Inc. (GWFS), a Colorado-based registered broker-dealer and affiliate of Great-West Life & Annuity Insurance Company, for violating the federal securities laws governing the filing of Suspicious Activity Reports (SARs).

Empower Retirement subsidiary GWFS, which provides services to employer-sponsored retirement plans, agreed to pay a $1.5 million fine to settle the charges.

According to the SEC’s order, from September 2015 through October 2018, GWFS was aware of increasing attempts by external bad actors to gain access to the retirement accounts of individual plan participants. The order further finds that GWFS was aware that the bad actors attempted or gained access by, among other things, using improperly obtained personal identifying information of the plan participants, and that the bad actors frequently were in possession of electronic login information such as user names, email addresses, and passwords.

Broker-dealers are required to file SARs for certain transactions suspected to involve fraudulent activity or a lack of an apparent business purpose. The guidance for preparing SARs from the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) states that in order to be effective tools for law enforcement and fulfill their intended purpose, SAR narratives should include “the five essential elements of information—who? what? when? where? and why?—of the suspicious activity being reported.”

The order finds that GWFS failed to file approximately 130 SARs, including in cases when it had detected external bad actors gaining, or attempting to gain, access to the retirement accounts of participants in the employer-sponsored retirement plans it serviced. Further, for nearly 300 SARs that GWFS did file, the order finds that GWFS did not include the “five essential elements” of information it knew and was required to report about the suspicious activity and suspicious actors, including cyber-related data such as URL addresses and IP addresses.

“Across the financial services industry, we have seen a large increase in attempts by outside bad actors to gain unauthorized access to client accounts,” Kurt L. Gottschall, Director of the SEC’s Denver Regional Office, said in a May 12 statement. “By failing to file SARs and by omitting information it knew about the suspicious activity it did report, GWFS deprived law enforcement of critical information relating to the threat that outside bad actors pose to retirees’ accounts, particularly when the unauthorized account access has been cyber-enabled.”

The SEC’s order notes that significant cooperation by GWFS with the SEC’s investigation and subsequent remedial efforts were taken into account in the determination to accept the company’s settlement offer. The remedial efforts included adding dedicated anti-money laundering (AML) staff and systems, replacing key personnel, clarifying delegation of responsibility for filing SARs, and implementing new SAR-related policies, procedures, standards, and training.

“We have at all times put a heavy focus on the protection of client accounts, and have routinely shared robust information directly with law enforcement agencies to help them catch suspicious actors,” said Stephen Gawlick, a spokesman for Empower Retirement, told The Denver Post. “We are confident the issues identified by the SEC are well behind us and have committed to maintaining an effective (anti-money laundering) compliance program.”

The SEC’s order finds that GWFS violated Section 17(a) of the Securities Exchange Act and Rule 17a-8 thereunder. Without admitting or denying the SEC’s findings, GWFS agreed to a settlement that imposes a $1.5 million penalty, a censure, and an order to cease and desist from future violations.

Empower Retirement is the nation’s second-largest retirement plan administrator with oversight of more than 12 million retirement plan participants and 67,000 employer-sponsored retirement plans.

Brian Anderson Editor
Editor-in-Chief at  | banderson@401kspecialist.com | + posts

Veteran financial services industry journalist Brian Anderson joined 401(k) Specialist as Managing Editor in January 2019. He has led editorial content for a variety of well-known properties including Insurance Forums, Life Insurance Selling, National Underwriter Life & Health, and Senior Market Advisor. He has always maintained a focus on providing readers with timely, useful information intended to help them build their business.

Related Posts
Total
0
Share