Roaring Kitty and phishing attacks expose cyber headaches for IBDs

A question at the start of the pandemic was how would broker-dealers, particularly independent B-Ds that operate on thin margins, adjust to technology and supervision of advisers during Covid-19.

It’s clear that firms had plenty of problems making that transition and now those issues are coming to the fore.

For the past 12 months, firm employees have been out of the office, scattered and working from home, the targets of cyber-attacks known as phishing. Advisers, meanwhile, have been reaching out to clients using unsupervised social media platforms.

What will broker-dealers learn about these technology shortcomings? How do you adequately supervise brokers working from home with hours of unsupervised time on their hands as they roam the social media and chat room terrain of the internet?

Firm leaders understand the threat is real. Cybersecurity was the top near-term tech concern for independent broker-dealers, according to the 2020 InvestmentNews Adviser Technology Study, and was cited by 77% of firms who participated.

Some firms are taking extra precautions, while others are not. Sixty-five percent of IBDs had at least some cybersecurity coverage in their E&O — errors and omissions — insurance, and 29% purchased supplemental insurance for cyber liability, according to the study.

But have broker-dealers taken appropriate precautions to protect advisers and their clients?

Take into consideration two recent tech and supervision snafus that wound up falling in the lap of broker-dealers, the first a massive news story and the second a more mundane breakdown.

In January, the rollercoaster ride of shares of GameStop Corp. was a media sensation. And one of the biggest believers in the stock, Keith Gill, better known by his social media handle “Roaring Kitty,” has painted a target on the broker-dealer he was registered with until last month, MML Investors Services.

Gill touted GameStop shares across the internet, including YouTube, Twitter and Reddit, and has created a roaring mess for MML Investors Services. The Massachusetts Securities Division is conducting an inquiry into “certain unreported outside business activity” of his, according to his BrokerCheck report.

And last month, in federal court in Massachusetts, Gill was hit with a proposed class-action lawsuit that accused him of misrepresenting himself as an amateur investor and profiting by artificially inflating the price of the stock.

Named in the same suit are MML Investors Services and its parent company, the insurance giant Massachusetts Mutual Life Insurance Co., or MassMutual.

The investor at the head of the complaint, Christian Iovin, alleges that MML and MassMutual “had the obligation to supervise Gill’s activities concerning securities and the securities markets.”

The complaint also claims that the two’s “obligation to supervise Gill extends to his use of social media and his compliance with the laws, regulations, and rules that apply to licensed securities professionals.”

A decade ago, when social media platforms like Twitter and Facebook were first starting to merge with the public’s consciousness, broker-dealers, which operate under strict industry advertising and marketing rules, were in a tizzy. Compliance attorneys in industry meetings repeated the same questions: how do we control what our brokers and financial advisers are saying on these platforms? How can we control them?

Roaring Kitty is the answer. Broker-dealers can’t block every avenue of internet expression. In the age where huge swaths of investors get their information from YouTube and Facebook, the danger is only heightened.

A spokesperson for MML Investors Services did not return calls this week to comment about the lawsuit.

Meanwhile, Cambridge Investment Research Inc., one of the largest independent broker-dealers in the industry, reported in a filing with the Securities and Exchange Commission at the end of February that the SEC’s Department of Enforcement was reviewing the firm’s cybersecurity policies and controls for the home office and registered and investment adviser representatives branch offices.

The review resulted from various compromises of registered reps and investment adviser representative email accounts “due to the widespread Office 365 phishing attack,” according to the filing. Cambridge is continuing to work with the SEC to resolve the matter, according to the filing.

A Cambridge spokesperson said that the firm did not comment on pending regulatory issues, but added: “We do believe discussions are underway with other firms; and we think these discussions likely need to conclude prior to resolution.”

That doesn’t sound hopeful.

Right now, it’s not known which firms or how many were targets of the phishing attacks. More information will undoubtedly follow.

At the start of the year, I interviewed a number of senior industry executives about the difficulties firms will face when using third-party technology vendors and cybercriminals. Amy Webber, the CEO and president of Cambridge, said that it was a matter of when, not if, a broker-dealer would face such an attack.

Turns out, Webber clearly knew what she was talking about and has the glare of the SEC’s scrutiny to prove it.

Related Topics: COVID-19, Cyber Attacks