• SEC Enforcement Action Reveals Expectations for Cybersecurity Policies and Procedures
  • September 28, 2015
  • Law Firm: Sutherland Asbill Brennan LLP - Washington Office
  • The SEC recently settled charges against a registered investment adviser for allegedly violating Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”).

    Under the Safeguards Rule, registered investment advisers and others subject to the rule must adopt written policies and procedures reasonably designed to insure the security and confidentiality of client records and information, protect against any anticipated threats or hazards to the security or integrity of client records and information and to protect against unauthorized access to or use of client records or information that could result in substantial harm or inconvenience to any client.

    According to the SEC’s order instituting administrative and cease-and-desist proceedings, the investment adviser stored personally identifiable information (“PII”) of clients and others on its third-party hosted web server without adopting written policies and procedures regarding the security and confidentiality of that information and the protection of that information from anticipated threats or unauthorized access. The SEC’s order noted that the investment adviser’s server was hacked, leaving the PII of more than 100,000 individuals vulnerable to theft.

    The SEC’s order also noted that, in conjunction with the SEC’s investigation, the investment adviser took steps to mitigate against future risk of cyber threats. Specifically, the investment adviser appointed an information security manager to oversee data security and protection of PII, adopted and implemented a written information security policy, discontinued the practice of storing PII on its webserver and encrypted PII stored on its internal network. In addition, the investment adviser installed a new firewall and logging system to prevent and detect malicious incursions, and retained a cybersecurity firm to provide ongoing reports and advice on the adviser’s information technology security.

    According to the SEC’s order, there has been no indication that the investment adviser’s clients suffered any financial harm as a result of the cyber-attack. The investment adviser was assessed a penalty of $75,000 in connection with the settlement.