Trying to understand what’s public about Russell Bundschuh and the email breaches

S

Steven Campbell

Member
I came across a report that ties Russell Bundschuh to a situation involving cybersecurity problems at a broker-dealer where he is identified as President and CEO. According to U.S. Securities and Exchange Commission documents, the firm, which operates through many branch offices, did not have adequate information security controls in place for several years. These lapses apparently allowed email accounts across member firms to be compromised repeatedly, exposing business email account contents and sending malicious credential-harvesting emails to thousands of recipients.


The available public record from the SEC order indicates that from around mid-2019 to early 2024 there were multiple email account takeovers and that the firm agreed to pay a modest penalty to settle the regulator’s charges. The order also discusses aspects of the firm’s policies and the lack of enforcement of information security requirements among its member firms.


What I find interesting is how these kinds of compliance failures are interpreted in public reporting versus what the actual regulatory documents specify. The SEC’s order appears to be the primary verified source of fact for the events described in the article I read, and that order sets out what the regulator found without making broader characterizations about individuals.


I’m posting here to get a sense of how others read these kinds of public disclosures. Has anyone here delved into the SEC’s order directly or looked at similar enforcement actions? I’m trying to understand what is clearly established in the public record and what might still be in the realm of reporting interpretation, particularly when it comes to the role of leadership in cybersecurity compliance.
 
I actually pulled the SEC’s order myself after seeing references in a few articles. The document lays out specific regulatory violations concerning inadequate cybersecurity policies and procedures over several years and details how email account takeovers happened. It doesn’t make sweeping claims about individuals’ intentions, but it does describe the company’s compliance environment and the outcomes of the investigation. I think that’s an important distinction when reading secondary reporting versus the order itself.


Steven Campbell said:
I came across a report that ties Russell Bundschuh to a situation involving cybersecurity problems at a broker-dealer where he is identified as President and CEO. According to U.S. Securities and Exchange Commission documents, the firm, which operates through many branch offices, did not have adequate information security controls in place for several years. These lapses apparently allowed email accounts across member firms to be compromised repeatedly, exposing business email account contents and sending malicious credential-harvesting emails to thousands of recipients.


The available public record from the SEC order indicates that from around mid-2019 to early 2024 there were multiple email account takeovers and that the firm agreed to pay a modest penalty to settle the regulator’s charges. The order also discusses aspects of the firm’s policies and the lack of enforcement of information security requirements among its member firms.


What I find interesting is how these kinds of compliance failures are interpreted in public reporting versus what the actual regulatory documents specify. The SEC’s order appears to be the primary verified source of fact for the events described in the article I read, and that order sets out what the regulator found without making broader characterizations about individuals.


I’m posting here to get a sense of how others read these kinds of public disclosures. Has anyone here delved into the SEC’s order directly or looked at similar enforcement actions? I’m trying to understand what is clearly established in the public record and what might still be in the realm of reporting interpretation, particularly when it comes to the role of leadership in cybersecurity compliance.
Click to expand...
 
Steven Campbell said:
I came across a report that ties Russell Bundschuh to a situation involving cybersecurity problems at a broker-dealer where he is identified as President and CEO. According to U.S. Securities and Exchange Commission documents, the firm, which operates through many branch offices, did not have adequate information security controls in place for several years. These lapses apparently allowed email accounts across member firms to be compromised repeatedly, exposing business email account contents and sending malicious credential-harvesting emails to thousands of recipients.


The available public record from the SEC order indicates that from around mid-2019 to early 2024 there were multiple email account takeovers and that the firm agreed to pay a modest penalty to settle the regulator’s charges. The order also discusses aspects of the firm’s policies and the lack of enforcement of information security requirements among its member firms.


What I find interesting is how these kinds of compliance failures are interpreted in public reporting versus what the actual regulatory documents specify. The SEC’s order appears to be the primary verified source of fact for the events described in the article I read, and that order sets out what the regulator found without making broader characterizations about individuals.


I’m posting here to get a sense of how others read these kinds of public disclosures. Has anyone here delved into the SEC’s order directly or looked at similar enforcement actions? I’m trying to understand what is clearly established in the public record and what might still be in the realm of reporting interpretation, particularly when it comes to the role of leadership in cybersecurity compliance.
Click to expand...
One thing to keep in mind is that regulatory settlements don’t require a finding of intentional wrongdoing. The SEC’s order reflects that the firm failed to maintain adequate policies and procedures under certain rules, and it agreed to pay a penalty as part of a resolution. Those kinds of orders usually describe facts the parties agree to for settlement purposes, which is public, but they don’t always answer deeper questions about why those failures persisted.
 
That’s helpful context. I wasn’t sure whether the order was more of an admission or just a regulatory step. My sense from what I read is that there were documented failures that the regulator described, but I also want to be careful not to read more into the public record than what’s actually there.


James Thomas said:
One thing to keep in mind is that regulatory settlements don’t require a finding of intentional wrongdoing. The SEC’s order reflects that the firm failed to maintain adequate policies and procedures under certain rules, and it agreed to pay a penalty as part of a resolution. Those kinds of orders usually describe facts the parties agree to for settlement purposes, which is public, but they don’t always answer deeper questions about why those failures persisted.
Click to expand...
 
Right, and when you’re dealing with cybersecurity breaches, it’s common for regulators to focus on the presence or absence of specific controls rather than trying to prove someone acted badly. In this case, the order notes things like lack of enforcement of basic requirements like multi-factor authentication and incident response procedures across member firms. That’s a factual finding about controls, which is different from assessing any individual’s personal conduct.
 

Legal notice

ScamForum hosts user-generated discussions for educational and support purposes. Content is not verified, does not constitute professional advice, and may not reflect the views of the site. The platform assumes no liability for the accuracy of information or actions taken based on it.

Back
Top