Exclusive: Anatomy Of A Brokerage IT Meltdown
Regulators last year issued the SEC's first-ever privacy fine against broker-dealer GunnAllen for failing to protect customer data. But former IT staffers say regulators didn’t seem to know half of this cautionary tale of outsourcing and oversight gone wrong.
It was the spring of 2005. Over a period of roughly seven business days, traffic had slowed to a crawl at the Tampa, Fla.-based firm, which had outsourced its IT department to The Revere Group. GunnAllen's acting CIO, a Revere Group partner, asked a member of the IT team to investigate.
Dan Saccavino, a former Revere Group employee who at the time served at GunnAllen as the IT manager in charge of the help desk, laptops, and desktops, says he and another network engineer eventually pinpointed the cause of the slowdown: A senior network engineer had disabled the company's WatchGuard firewalls and routed all of the broker-dealer's IP traffic--including trades and VoIP calls--through his home cable modem. As a result, none of the company's trades, emails, or phone calls were being archived, in violation of Securities and Exchange Commission regulations.
Despite the fact that at least five people at The Revere Group knew about the engineer's action, it's unclear whether it was reported at the time to GunnAllen or regulators. The SEC didn't reference the incident in a subsequent announcement about a settlement with GunnAllen for unrelated privacy and data security violations, and interviews with former Revere Group employees reveal that regulators may have known about only a fraction of the data security failures at the firm.
What follows is a chronicle of one firm's myriad IT and other missteps over a period of at least four years, as related by former employees and various official documents. It's a cautionary tale of what happens when a company tosses all IT responsibility over a wall and rarely peeks back. It also reveals what happens when an IT outsourcing vendor gets in over its head, and it points to the failures of regulators to identify and clean up a corporate mess on a grand scale.
While these missteps go back as far as seven years, they have continuing relevance today in the context of how businesses oversee outsourcing, information security, regulatory, and employee matters.
NEXT: Rogue Home Router
... Read full story on InformationWeek
Post a comment to the original version of this story on InformationWeek