Interactive Brokers latest B-D to report data breach

Just as the Securities and Exchange Commission is sharpening its focus on cybersecurity breaches at broker dealers and registered investment advisors, Interactive Brokers is reporting private client information has been targeted.

In January, Interactive Brokers, which specializes in equities and options trading, “identified a business email compromise that resulted in the unauthorized access to a limited amount of consumer personal information,” according to a sample letter to clients the firm filed on Thursday with Massachusetts. “The company activated its incident response protocols and implemented containment and remediation measures to ensure the security of the company’s email environment.”

“Our investigation determined the following types of your information may have been impacted by this incident: your name” and another piece of unidentified information, according to the Interactive Brokers letter. “At this time, we have no evidence that your information was subject to actual or attempted misuse as a result of this incident.”

It is not clear how many of the firm’s clients have felt an impact of the email breach.

Broker-dealers and RIAs have to be constantly vigilant for such data break-ins.

“Sophisticated hackers for last 10 years have constantly improved their ability to breach systems, and it’s up to firms to match them,” said Sander Ressler, managing director, Essential Edge Compliance Outsourcing Services. “I think the industry will continue to fight that struggle in foreseeable future.”

“When they get hit with a data breach, firms become susceptible to regulators’ investigations, enforcement actions and lawsuits, because customer information has been compromised,” said Brandon Reif, an industry attorney.

“We have notified certain clients of a limited business email compromise by an unknown malicious actor,” an Interactive Brokers’ spokesperson wrote in an email. “There is no evidence that any client’s information was subject to actual or attempted misuse as a result of this incident, and there is no evidence that there was any unauthorized access to any client’s account, or to any of [the firm’s] systems.”

In a move to modernize regulation around how certain institutions handle customers’ nonpublic personal information, the SEC this month said that it adopted critical amendments to Regulation S-P.

This move is intended to address the growing risks associated with technological advancements since the rule’s initial adoption in 2000. Under the amendments, broker-dealers, investment companies, registered investment advisers, and transfer agents will have to meet new requirements to safeguard customer data.

Among the updates to Regulation S-P, covered institutions are mandated to establish written policies and procedures for an incident response program. This program must include measures to detect, respond to, and recover from unauthorized access to or use of customer information.

With certain limited exceptions, the new rules also require firms to notify affected individuals, or those reasonably likely to have been affected, as soon as practicable, but no later than 30 days after the institution becomes aware of a breach.