CEO email hack leads to fine for Supreme Alliance
An inadequate reaction to its CEO’s email account hack has landed Supreme Alliance with a $65,000 fine. The firm has agreed to pay the fine as a part of a settlement with the United States Financial Industry Regulatory Authority (FINRA).
FINRA has found that from November 20, 2013, to the present, Supreme Alliance failed to develop and implement a written Identity Theft Prevention Program (the Program) reasonably designed to detect, prevent, and mitigate identity theft in connection with opening or maintaining customer accounts. The firm’s Program failed to include reasonable policies and procedures to identify or detect red flags of identity theft, and its procedures for responding to suspected identity theft were not tailored to its business.
Moreover, upon learning of an email security breach involving the firm email account of the firm’s CEO and CCO, Supreme Alliance failed to implement the procedures set forth in its Program.
Beginning on April 18, 2018, Supreme Alliance’s CEO and CCO began to receive hundreds of notifications in his firm email account mailbox stating that email messages sent from his firm account could not be delivered to a certain external email address. Although the firm’s CEO and CCO did not recognize the external email address, he ignored the undeliverable notifications for approximately four months.
On August 30, 2018, the firm’s CEO and CCO forwarded one of the undeliverable messages to the firm’s outside email vendor, informing the vendor that he had received more than 100 such messages. The vendor informed the firm’s CEO and CCO there was an automated rule set up on his firm email account that blind-copied all emails he received to the external email address. The vendor further informed the firm’s CEO and CCO that his Supreme Alliance email account had likely been compromised.
Upon learning of the breach of the firm’s CEO and CCO’s firm email account, Supreme Alliance failed to implement any of the procedures set forth in its limited Program. Additionally, Supreme Alliance failed to take steps to mitigate the risk of identity theft resulting from the incident. For example, at the time it discovered the breach, the firm made no effort to determine how many emails had been blind copied to the unauthorized account, or whether customers’ identifying information had been exposed.
It was not until May 22, 2019, when FINRA staff inquired about email communications with this external email address during the firm’s 2019 cycle exam, that Supreme Alliance attempted to determine the scope of the breach.
To date, the firm has not notified any customers whose identifying information was exposed because of the incident.
Between February 28, 2018, and August 30, 2018, approximately 17,000 emails were blind copied from Supreme Alliance’s CEO and CCO’s firm email account to the unauthorized external email address. At least 200 of the blind-copied emails contained identifying information relating to Supreme Alliance customers, including customers’ social security numbers, account numbers, driver’s license numbers, and dates of birth.
Therefore, Supreme Alliance violated Regulation S-ID of the Securities Exchange Act of 1934 and FINRA Rule 2010.
On top of the fine, the firm consents to the imposition of a censure.