FINRA Fines BD Over Handling of CEO Email Hack

The Financial Industry Regulatory Authority has fined and censured a broker-dealer for failing to take action when the emails of its CEO, who was also the firm’s chief compliance officer, had been hacked.

Supreme Alliance was censured and fined $65,000 for failing to develop and implement a written identity theft prevention program “reasonably designed to detect, prevent and mitigate identity theft in connection with opening or maintaining customer accounts.”

Further, FINRA found that upon learning of an email security breach involving the firm email account of the firm’s CEO and CCO, Supreme Alliance failed to implement the procedures set forth in its program to mitigate the risk of identity theft due to the exposure of its customers’ identifying information to an unauthorized third party.

FINRA charged the BD with violating the Identity Theft Red Flags Rule.

According to the FINRA order, beginning on April 18, 2018, the Supreme Alliance executive received hundreds of notifications in his firm email account mailbox stating that email messages sent from his firm account could not be delivered to a certain external email address.

“Although the firm’s CEO and CCO did not recognize the external email address, he ignored the undeliverable notifications for approximately four months,” the FINRA order states.

On Aug. 30, 2018, the executive forwarded one of the undeliverable messages to the firm’s outside email vendor, informing the vendor that he had received more than 100 such messages.

“The vendor informed the firm’s CEO and CCO there was an automated rule set up on his firm email account that blind-copied all emails he received to the external email address. The vendor further informed the firm’s CEO and CCO that his Supreme Alliance email account had likely been compromised.”

At the time it discovered the breach, Supreme Alliance “made no effort to determine how many emails had been blind copied to the unauthorized account, or whether customers’ identifying information had been exposed,” FINRA states.

It wasn’t until May 22, 2019, when FINRA staff inquired about email communications with this external email address during the firm’s 2019 cycle exam, that Supreme Alliance attempted to determine the scope of the breach.

“To date, the firm has not notified any customers whose identifying information was exposed because of the incident,” the order states.

Between Feb. 28, 2018, and Aug. 30, 2018, approximately 17,000 emails were blind-copied from the executive’s firm email account to the unauthorized external email address.

“At least 200 of the blind-copied emails contained identifying information relating to Supreme Alliance customers, including customers’ social security numbers, account numbers, driver’s license numbers, and dates of birth,” FINRA said.

Supreme Alliance has been a FINRA member since October 1998. The firm is based in Haschbach am Remigiusberg, Germany. Supreme Alliance has five branch offices, four of which are in the United States, and approximately 50 registered persons.

The BD, with a business primarily consisting of the distribution of mutual funds and variable life insurance or annuities, does not have any relevant disciplinary history.