SEC Charges Investment Adviser with Failure to Adopt Proper Cybersecurity Policies and Procedures Prior to Cyberattack
On Tuesday, September 22, 2015, the SEC charged an investment adviser with failing to adopt a written policy and procedure reasonably designed to safeguard customer records and information. The charge spawned from a July 2013 cyberattack on the investment adviser’s third party-hosted server, which potentially compromised the personally identifiable information (“PII”) of over 100,000 individuals stored on the server. Without admitting or denying the SEC’s findings, the investment adviser has agreed to settle the charge for approximately $75,000 and cease and desist from committing or causing any future violations of the SEC’s “Safeguards Rule.”
Rule 30(a) of Regulation S-P (the “Safeguards Rule”) requires every investment adviser registered with the SEC to adopt written policies and procedures reasonably designed to safeguard customer records and information. Specifically, the policies and procedures must be reasonably designed to: (1) insure the security and confidentiality of customer records and information, (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information, and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
According to the SEC’s Order, from September 2009 to July 2013, the investment adviser stored, without modification or encryption, the PII of both clients and other persons on a third party-hosted web server. After discovering the potential breach, the investment adviser promptly retained multiple cybersecurity firms to confirm the attack and assess the scope of the breach. Though the firms ultimately could not determine whether the PII stored on the server had been accessed or compromised, the investment adviser notified every individual whose PII may have been stolen and offered free identity theft monitoring through a third-party provider.
Despite its subsequent remedial efforts, which all appear to have been implemented prior to the SEC’s investigation of the matter, and the lack of any harm, the SEC charged the investment adviser for failing to adopt a written policy and procedure reasonably designed to safeguard customer information prior to the breach. Specifically, the SEC found that the investment adviser’s policy and procedure for protecting its customer’s sensitive PII did not include: (1) conducting periodic risk assessments, (2) employing a firewall to protect the web server containing client PII, (3) encrypting client PII stored on the server, or (4) establishing procedures for responding to a cybersecurity incident.
Notably, the SEC acknowledged the following changes promptly adopted by the investment adviser to mitigate future risks: (1) appointing an information security manager to oversee data security and protection of PII, (2) adopting and implementing a written information security policy, (3) refraining from storing PII on its webserver and encrypting all PII stored on its internal network, (4) installing a new firewall and logging system to prevent and detect malicious intrusions, and (5) retaining a cybersecurity firm to provide ongoing reports and advice. Further, there has been no indication to date that any client has suffered financial harm as a result of the breach.
The enforcement action comes just one week after OCIE issued a Risk Alert announcing its continued focus on cybersecurity during examinations of registered broker-dealers and investment advisers. According to the Alert, the examinations, which are designed to promote better compliance practices and inform the SEC’s understanding of cybersecurity, will focus on: (1) governance and risk assessment, (2) access rights and controls, (3) data loss prevention, (4) vendor management, (5) employee and vendor training, and (6) incident response. The Risk Alert encouraged registered broker-dealers and investment advisers to reflect upon their own practices, policies, and procedures in light of these focus areas.
The SEC’s enforcement action and OCIE’s Risk Alert demonstrate the SEC’s commitment to police the industry’s efforts to protect investors’ personal information to the greatest extent possible. As cyberattacks continue and cybersecurity efforts evolve, it is critical for investment advisers and broker-dealers to regularly and routinely review their policies and procedures to ensure they are adequately safeguarding investors’ private information.