The Securities and Exchange Commission announced on September 22, 2015 that an investment adviser has agreed to settle charges that it failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients. The SEC order outlined that the firm failed “entirely” to protect its clients from a July 2013 cyber-attack that was later traced to China, U.S. regulators said on Tuesday. The investment advisory firm will pay $75,000 to settle the civil charges.
Federal securities laws require registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information. According to the SEC, the firm never adopted written policies and procedures, which the Commission has advocated investment advisers do, as highlighted in the April 2015 Guidance Update on cybersecurity. The SEC also determined that the firm did not conduct periodic risk assessments, implement a firewall, encrypt its personally-identifiable information or maintain a response plan for any incidents either. The only mitigating steps noted that the firm took when the breach occurred, was to contact all involved and offered free identity theft monitoring through a third-party vendor.
Marshall S. Sprung, co-chief of the SEC enforcement division’s asset management unit, said in the news release that the regulator will continue to enforce its safeguarding rules, whether or not there is clear financial harm to clients. Mr. Sprung also said, “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
Our Perspective
Cybersecurity is a hot button topic for securities regulators. This case is in line with the efforts of the commission to ensure investor protection from breaches and take action even where there is not financial harm to clients. The SEC continues to put out guidance and issue risk alerts relating to cybersecurity and intends to perform a second wave of examinations focusing on cybersecurity provisions. Investment advisers are well advised to follow their lead and establish strong policies and procedures to protect against harm to their clients and enforcement action to the firm and its principals.
SEC3 can assist your firm in creating, implementing and maintaining your cybersecurity policies and procedures. For further information, please contact your SEC3 representative or contact us at info@seccc.com.