SEC Announces Cybersecurity Warning Shot

On September 22, 2015, the Securities and Exchange Commission (SEC) announced a cyber-security related settlement with a Missouri investment adviser for failing to maintain policies and procedures in violation of the so-called "Safeguard Rule" of Rule 30(a) of Regulation S-P. This announcement represents a notable "warning shot" in advance of the broader upcoming SEC cybersecurity examinations that we described in our recent client alerts, found here and here. 

The Safeguards Rule

The Safeguards Rule, which the SEC adopted in 2000, requires that every investment adviser registered with the SEC adopt policies and procedures reasonably designed to: (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. The SEC adopted amendments to the Safeguards Rule, effective January 2005, to require that the policies and procedures adopted thereunder be in writing. Only in 2015 did the SEC publish guidance about specific cybersecurity policies and procedures that should be adopted and implemented by regulated entities.

Background

According to the SEC order, found here, the adviser stored personally identifiable information of its clients and others on a third-party hosted web server from September 2009 through July 2013. During this time, the adviser had failed to adopt written policies and procedures reasonably designed to safeguard customer information. Specifically, as noted in the SEC order, the adviser failed to conduct periodic risk assessments, implement a firewall, encrypt personal information stored on its third-party hosted web server, or maintain a response plan for cybersecurity incidents.

In July 2013, an unknown hacker gained access to the server, rendering the personal information of the approximately 100,000 clients vulnerable to theft. After discovering the breach, the adviser firm promptly retained several cybersecurity consulting firms to investigate the attack, which was traced to China, and determine the scope. The adviser also provided breach notification to every individual whose information may have been compromised and offered free identity theft monitoring through a third-party provider. According to the SEC order, the adviser has not received any indications of a client suffering financial harm as a result of the cyber-attack to date.

For allegedly failing to maintain policies and procedures required by the Safeguards Rule, the adviser agreed to be censured and pay a $75,000 penalty.

Takeaways

The order is noteworthy for its emphasis on the absence of adequate policies and procedures rather than on the adviser's responses and whether clients suffered actual harm. The SEC's assertive stance with respect to cybersecurity demonstrates why investment advisers and broker dealers need to adopt, implement, and test cybersecurity policies and procedures. Such policies and procedures must be tailored to the uniqueness of a firm's business and must address governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. The SEC order also suggests that, with respect to third party servers, firms need to implement a firewall, encrypt personal information, and periodically test such system for potential risks.  

Crowell & Moring's cybersecurity team keeps its finger on the pulse of the growing complexity of risks affecting businesses and governmental regulatory responses to such risks. Additional information about Crowell & Moring's cybersecurity practice may be found here.