The Securities and Exchange Commission sanctioned eight registered broker-dealer and investment advisory firms this week for failures in their cybersecurity policies and procedures. Those failures resulted in email account takeovers, which exposed the personal information of thousands of customers and clients at each firm. Those firms paid penalties ranging from $200,000 to $300,000.
The SEC orders cited: (i) failure to protect email accounts in a manner consistent with firm policies, (ii) misleading information in breach notifications to clients, and (iii) delay in notifying clients of a breach and in implementing enhanced security measures.
In a press release, Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit, said: “Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information. It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
Specifically, broker-dealer and investment advisory firms must comply with Regulation S-P, also known as the Safeguards Rule, which is designed to protect confidential customer information, and investment advisory firms also must comply with Section 206(4) of the Advisers Act and Rule 206(4)-7 in connection with their breach notifications to clients.
Spencer Fane provides steady guidance for broker-dealer and investment advisory firms looking to build and fully implement effective data privacy and cybersecurity programs that identify, assess, and mitigate risk related to data collection, including potential exposure to SEC enforcement actions for failure to comply with applicable regulatory requirements.