On August 30, 2021, the Securities and Exchange Commission (“SEC”) entered settled Orders against eight SEC-registered investment advisers and/or broker-dealers for their failure to establish, maintain, or implement adequate cybersecurity policies and procedures.1
According to the SEC, unauthorized third-party hackers took control of cloud-based email accounts of the firms’ personnel and/or outside contractors. The hacks resulted in the exposure of personally identifiable information (“PII”) and other information and records of firm clients. As a result, the SEC found each firm violated Rule 30(a) of Regulation S-P, known as the Safeguard Rule, and one of the firms also violated Rule 206(4)-7 of the Investment Advisers Act of 1940, known as the Compliance Rule.
The Safeguard Rule requires registered broker-dealers and investment advisers to adopt written policies and procedures reasonably designed to 1) insure the security and confidentiality of customer records and information; 2) protect against any anticipated threats or hazards to the security or integrity of customers records and information; and 3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customers.2
The Orders found that each of the firms were the targets of successful phishing, credential stuffing, and other cyberattacks and failed to respond appropriately or quickly enough to the incidents. In certain cases, the SEC found there was a failure to establish or implement policies or procedures reasonably tailored to safeguard customers’ PII and other records; in others, that the firms used misleading language in breach notifications to clients, suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents.
Without admitting or denying the SEC’s findings, each firm agreed to entry of an Order requiring it to cease and desist from future violations. Though none of the hacks appear to have resulted in unauthorized trades or money transfers, each firm agreed to pay a penalty between $200,000 and $300,000.
While the Commission has noted in the past that it appreciates registrants are in many ways the victim of cyber breaches or intrusions, these enforcement actions follow recent efforts by the SEC’s Division of Examinations to educate the industry on what it expects from firms regarding protecting PII and other client information.3 The SEC has repeatedly emphasized the importance that it places on firms updating, monitoring, and testing their cybersecurity policies and procedures.
We recommend that firms review their cybersecurity policies and procedures, including their implementation, regarding the protection of PII and other client information and records, with an eye to whether those policies are being monitored, tested, and revised to meet new threats. Firms should also evaluate whether they have provided appropriate resources and authority to those charged with developing, managing, and testing these measures as well as ensuring they have the support of senior management.
If you have any questions or need assistance with your firm’s cybersecurity program, please contact any of the partners and counsel listed below or your primary attorney in Seward & Kissel’s Investment Management or Litigation Group.