On August 30, 2021, the Securities and Exchange Commission (SEC) published a press release announcing that it has penalized eight investment advisory firms in three enforcement actions for failing to adopt written policies and procedures reasonably designed to safeguard customer records and information, in violation of Rule 30(a) of Regulation S-P (17 C.F.R.
§ 248.30(a)) (the Safeguards Rule).
The SEC issued sanctions ranging from $200,000 to $300,000 for Safeguards Rule violations. The Safeguards Rule requires broker-dealers and investment advisers to adopt written policies and procedures for the protection of customer records and information. These written policies and procedures must be reasonably designed to accomplish three goals: (1) ensure the security and confidentiality of customer records and information; (2) protect against unanticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or information that could result in substantial harm or inconvenience to any customer.
According to the SEC’s enforcement orders, the firms’ employees had their email accounts hacked, which gave hackers unauthorized access to customers’ personal identifier information (PII) stored in the compromised email accounts. After the firms identified the hacks, although they took remedial actions, they failed to adopt and implement enhanced security measures in a timely manner, which in some cases resulted in additional hacks and exposure of more client information. The SEC emphasized that the firms were particularly slow in adopting and implementing multi-factor authorization (MFA), a safety measure that requires users to input information from multiple devices to log into an account rather than just type a password (e.g., user must enter password and enter a code texted to his or her telephone number). One group, referred to in the enforcement actions as the Cetera Entities, were also penalized for sending breach notifications to clients that included misleading template language.
In the SEC’s press release, the Chief of the SEC Enforcement Division’s Cyber Unit cautioned that “[i]t is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
- Although the Safeguards Rule provides that broker-dealers and investment advisers must “adopt” written policies and procedures, simply drafting policies and procedures is not sufficient; the SEC is penalizing firms when they fail to implement those policies and procedures in a timely manner, especially in cases where firms know that they have been attacked.
- The SEC appears to be particularly focused on whether broker-dealers and investment advisers are adopting and implementing MFA, especially following hacks that result in exposure of client information.
- Breach notifications should be accurate as to the timing and severity of the breach, and breach templates should make clear the importance of tailoring the notice to the specific facts of a particular breach.
Given the rise of SEC enforcement actions arising out of cyberattacks, broker-dealers and investment advisers should ensure they have reasonable security, respond appropriately to cyberattacks, and monitor SEC enforcement actions for additional guidance.
If you have additional questions or need further assistance, please reach out to Sheryl A. Falk (Co-Chair, Global Privacy and Data Security Practice), J. Tyler McGaughey (Partner, White Collar, Regulatory Defense & Investigations), David B. Houck (Associate, White Collar, Regulatory Defense & Investigations) or your Winston & Strawn relationship attorney.