The Financial Industry Regulatory Authority has fined and censured a broker-dealer for failing to take action when the emails of its CEO, who was also the firm's chief compliance officer, had been hacked.
Supreme Alliance was censured and fined $65,000 for failing to develop and implement a written identity theft prevention program "reasonably designed to detect, prevent and mitigate identity theft in connection with opening or maintaining customer accounts."
Further, FINRA found that upon learning of an email security breach involving the firm email account of the firm's CEO and CCO, Supreme Alliance failed to implement the procedures set forth in its program to mitigate the risk of identity theft due to the exposure of its customers' identifying information to an unauthorized third party.
FINRA charged the BD with violating the Identity Theft Red Flags Rule.
According to the FINRA order, beginning on April 18, 2018, the Supreme Alliance executive received hundreds of notifications in his firm email account mailbox stating that email messages sent from his firm account could not be delivered to a certain external email address.
"Although the firm's CEO and CCO did not recognize the external email address, he ignored the undeliverable notifications for approximately four months," the FINRA order states.
On Aug. 30, 2018, the executive forwarded one of the undeliverable messages to the firm's outside email vendor, informing the vendor that he had received more than 100 such messages.
"The vendor informed the firm's CEO and CCO there was an automated rule set up on his firm email account that blind-copied all emails he received to the external email address. The vendor further informed the firm's CEO and CCO that his Supreme Alliance email account had likely been compromised."
