“Firms must adopt written policies to protect their clients’ private information . . . they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
– S.E.C. v. R.T. Jones Capital Equities Mgt.