SEC Settles Charges with Firm Over Failing to Report Hacking Attempts

GWFS Equities Inc., a Colorado-based broker/dealer (B/D) and affiliate of Great-West Life & Annuity Insurance, has settled charges from the Securities and Exchange Commission (SEC) that it failed to report attempts by external bad actors to gain access to plan participants’ retirement accounts. GWFS provides services to employer-sponsored retirement plans.

According to the SEC’s cease-and-desist order, GWFS was allegedly aware over the span of more than three years of increasing attempts by external bad actors to hack into the retirement accounts, but failed to file more than 100 suspicious activity reports (SARs) as required by law. The order alleges the firm was also aware that the hackers attempted or gained access by using improperly obtained personal information of the plan participants, and that they were often in possession of electronic login information, including usernames, email addresses, and passwords.

Although GWFS detected most of the attempts before the hackers could request a distribution from a plan participant’s account, some incidents involved successful distributions. The attempts, regardless of whether or not funds were withdrawn, are referred to as account takeovers.

“GWFS recognized at the time, and throughout the relevant period, that these account takeovers are required to be reported under the Bank Secrecy Act,” the SEC said in its order. “However, GWFS did not comply with its SAR-reporting obligations as to these incidents.” The SEC also said the firm “failed to implement its anti-money laundering program consistently in practice.”

B/Ds are required to file SARs for certain transactions that are suspected to involve fraudulent activity or have no apparent business purpose. The SEC alleged that GWFS failed to file approximately 130 SARs, and that for nearly 300 SARs it did file, the company failed to include the “five essential elements” of information—who? what? when? where? and why?—about the suspicious activity. The SEC said the firm was required to report the suspicious activity and suspicious actors, including cyber-related data such as URL addresses and internet provider (IP) addresses.

“Across the financial services industry, we have seen a large increase in attempts by outside bad actors to gain unauthorized access to client accounts,” Kurt Gottschall, director of the SEC’s Denver regional office, said in a statement. “By failing to file SARs and by omitting information it knew about the suspicious activity it did report, GWFS deprived law enforcement of critical information relating to the threat that outside bad actors pose to retirees’ accounts.”

Despite the allegations, the SEC said GWFS was cooperative during the regulator’s investigation, and that it “undertook significant remedial measures,” including implementing new SAR drafting procedures and retaining an outside anti-money laundering consulting firm to review and recommend enhancements to its SAR processes, among other steps.

Without admitting or denying the SEC’s findings, GWFS agreed to a settlement that includes a $1.5 million penalty, a censure, and an order to cease and desist from future violations.