The SEC recently issued an order and settlement against a company from a pair of cyberattacks in which millions of dollars of client funds were stolen. While the company was able to recover a portion of the funds and ultimately reimbursed clients for the money lost, the SEC still fined the company $850,000 for failure to provide the necessary safeguards to protect its clients’ funds.

In both attacks, cyber criminals were able to transfer of large sums of money to external bank accounts. The first incident stemmed from a threat actor hijacking an existing email chain and pretending to be a client. The attacker then requested the issuance and liquidation of new shares to an external account. In the second incident, an attacker used stolen Social Security Numbers from an unknown source to create fake accounts and link to legitimate accounts even though other personal information attached to the accounts didn’t match. In both instances, the attacker transferred funds out to external accounts.

The order highlights what the SEC expects when it comes to employee training and security protocols. Although the company had sent employees alerts about fraud and guidance on the importance of call-backs to verify requests and to pay attention to requesters’ email addresses, the SEC found this to be insufficient. The SEC said that the company should’ve taken additional steps such as confirming that the warning email was read by employees, that training was provided, and to otherwise confirm that call-backs were in-fact being performed.

Putting it Into Practice: This case servers as a reminder of the types of monitoring and measuring criteria regulators may expect when it comes to demonstrating that employees have been adequately trained. Copies of training materials or warning newsletters may no longer be enough. Regulators are more and more interested in how a company evaluates whether its cyber training is effective and how they are monitoring employee compliance.