Barely three months after the SEC issued its Cyber-Security Risk Alert, the Commission issued a press release on July 25, 2014 announcing one of the largest penalty assessments in its history against a broker-dealer for violation of SEC regulations concerning cyber-security. The Commission had indicated that it is serious about cyber-security in repeated alerts and speeches, and now has backed up speeches and publications with action. Broker-dealers would be wise to take notice.
The SEC alleged that broker-dealer LavaFlow, Inc. failed to implement information safeguards for its alternative trading system (“ATS”), in violation of Rule 310(b)(10) of Regulation ATS by failing to protect the confidential financial information of its subscribers. Specifically, the SEC Order noted that LavaFlow’s system allowed an affiliate that operated an application known as a smart order router to obtain access to confidential information of LavaFlow’s subscribers. As a result, according to the SEC, 400 million shares were traded based in part on subscriber information contained in unexecuted hidden orders. The smart order router was operated by Lava Trading, Inc., which is owned by Citigroup Financial Products, and earned $1.8 million during this period as a result of the use of the subscriber information.
The administrative proceeding was settled with an agreement by LavaFlow to pay a penalty of $2.85 million, the largest penalty to date against an alternative trading system, plus disgorgement of the $1.8 million earned by Lava Trading, and $350,000 in prejudgment interest.
Daniel M. Hawke, Chief of the SEC’s Enforcement Division Market Abuse Unit, commenting on the Order, sounded a stern warning of more such proceedings in the near future. “Because much of today’s equity trading is automated,” he said, “firms must protect sensitive information within computer networks just as aggressively as they police against the misuse of information by people.”
Broker-dealers would be well advised to take these words to heart and assess the safeguards of their systems before the SEC cyber-knocks at their door. For additional information please contact Kenneth N. Rashbaum.