In a recent Securities and Exchange Commission hearing, Commonwealth Equity Services LLP of Waltham, Massachusetts was fined for not having anti-virus software installed on its representatives' PCs.

According to the summary of proceedings, Commonwealth recommended, but did not require, its registered representatives to maintain antivirus software on the computers used to access the Commonwealth trading platform, "as a result, Commonwealth's customer information was left vulnerable to unauthorized access.  

"In addition, Commonwealth did not have procedures in place to adequately review its registered representatives' computer security measures. In particular, Commonwealth's internal auditors did not audit branch office computers to determine whether antivirus software was installed, nor did Commonwealth have procedures in place to follow up on potential computer security issues uncovered during branch audits or when registered representatives contacted Commonwealth's information technology help desk for computer-related assistance."

In November, 2008, an intruder obtained the login credentials of a Commonwealth representative (presumably via a keylogger) and used those credentials to access the trading system.  The intruder instigated purchase trades in 8 accounts and obtained details of 368 customers.

Within minutes, Commonwealth's dealing staff noticed the 'odd' trades and quickly blocked the account from further activity.  The unauthorized trades were cancelled, leading to an $8,000 loss as the situation was repaired.  In addition, the 368 customers were notified that their account name, account number account registration type, account net worth, cash balance, and the last four digits of their Social Security number were obtained by the intruder.

The SEC summary also details a sequence of events where Commonwealth's IT help desk received a call from the afflicted representative in September, with a suspected virus compromise.  The help desk operator could not verify the presence of any anti-virus software and recommended it be obtained.  Unfortunately, there was no follow-up to confirm this had been done.

"As a result of the conduct described above, Commonwealth willfully3 violated Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) [known as the "Safeguards Rule"], which requires broker-dealers and registered investment advisers to have written policies and procedures that are reasonably designed to safeguard customer records and information."  

A settlement was reached with Commonwealth agreeing to a penalty of $US100,000.