Ontario teams up with Israel to tackle cybersecurity in financial services

The U.S. Securities and Exchange Commission (SEC) is bringing enforcement action against broker-dealer, Virtu Americas LLC, alleging that it failed to properly guard against information leakage between its institutional trading business and prop trading arm.

The SEC charged the firm and its parent company, Virtu Financial Inc., for overstating the controls that were erected to prevent the misuse of sensitive customer data. It said proprietary traders had access to an internal database that contained post-trade information generated by client orders between January 2018 and early 2019.

“Virtu Americas’s failure to safeguard this information created significant risk that its proprietary traders could misuse it or share it outside Virtu Americas,” the regulator said.

“At a time when Virtu Americas handled around a quarter of all market orders placed by retail investors in the U.S., we allege that proprietary traders had nearly unfettered access to material nonpublic information about its institutional customers’ trades — information which could be abused for personal gain,” said Gurbir Grewal, director of the SEC’s enforcement division, in a release.

“Despite the absence of any critical safeguards whatsoever around this information, we further allege that Virtu repeatedly misled institutional customers and the market about how Virtu Americas was protecting this valuable data to generate significant commissions. Today’s enforcement action not only holds Virtu accountable for its failings, but also sends a strong message to firms that they must do much more than use shared, generic usernames and passwords to protect against and prevent the misuse of material nonpublic information,” he added.

The allegations have not been proven.

In a release, Virtu said it rejects the regulator’s allegations, saying the hypothetical possibility that client information was widely accessible does not mean the company’s policies and controls to protect sensitive information were “unreasonable.”

“Virtu has continuously maintained policies and procedures that were and are reasonably designed to prevent the misuse of confidential information — consistent with its obligations under applicable laws — and public statements made regarding its policies and procedures were true and accurate,” it said.

Additionally, it noted that the SEC doesn’t claim client information was ever misused by its prop traders, nor that there is any evidence of that. The fact that this information was theoretically accessible was self-reported by the firm during a routine compliance exam, it said.

Virtu also said discussions about a possible settlement with the SEC failed to reach a resolution.

“We are disappointed by the SEC’s decision to bring this action. Despite our belief that these allegations are meritless, we engaged in good faith settlement discussions with the SEC to bring this matter to a reasonable resolution,” said Doug Cifu, Virtu’s CEO, in a release.

Moreover, the firm suggested the action is at least partly politically motivated, given its vocal criticism of proposed market structure reforms, and a lawsuit it brought against the SEC seeking access to information on the rulemaking process.

“Unfortunately, the SEC’s position appears to be driven by politics and headlines rather than the facts and the law,” Cifu said.

The SEC’s complaint, which was filed in U.S. district court for the Southern District of New York, seeks injunctive relief, disgorgement with prejudgment interest, and civil penalties.