SEC Says – Do Not Procrastinate!

Authors: Lisa M. Kennerly and Greg Reymann

On August 30, 2021, the Securities and Exchange Commission (“SEC”) issued findings and imposed remedial sanctions in three different matters involving violations of cybersecurity policies and procedures, which resulted in the exposure of customer records and information, including personal investment information.  

Applicable Rules:

The Safeguards Rule of Regulation S-P. Every broker-dealer and investment adviser registered with the Commission is required to adopt written policies and procedures reasonably designed to:

a) Insure the security and confidentiality to customer records and information;

b) Protect against any anticipated threatens or hazards to security or integrity of customer records and information; and

c) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. 

Section 206(4) and Rule 206(4)-7. Every registered investment adviser or investment adviser that is required to register is required to adopt and implement written procedures reasonably designed to prevent violations, by the adviser or its supervised persons, of the Advisers Act, and the rules adopted by the Commission.

Highlights:

In related matters, the SEC found that the respondents’ financial advisers had email accounts that were accessed by unauthorized third parties which resulted in the exposure of customer records and other information. In many of the instances, emails containing personally identifiable information (“PII”) were forward to unauthorized email addresses after receiving a “phishing email”.  In each matter, the respondent eventually amended written policies and procedures that required use of a multi-factor authentication (“MFA”), however, urgency appears to be lacking in enacting the amendments. Lastly, the SEC found that when the Cetera respondents notified clients of the breach of their PII, such notice was not completely forthcoming when it referred to the incidents as “recent.” For example, the notice informed the client that it had been only “two” months since they had learned of the breach when it was at least six months since they had learned of the breach. And, by not informing the clients when the respondents actually learned of the breach, customers did not have the knowledge or ability to guard against potential misuse of their PII that may have occurred more than two months prior to receiving the respondent’s notice.  

So What Did We Learn?

Phishing happens. There is not a strict liability on being hacked, but after such an event it is expected that breach notifications are provided promptly and accurately, and any shortfalls in the written policies and procedures and in corporate training be remedied in a timely manner. Discovering account takeovers in 2018, due largely to a failure of use MFA, and then not implementing a MFA for the email accounts of representatives until 2021, resulted in a violation of the Safeguards Rule for Cambridge.   

MFA is the standard that is expected in cybersecurity policies and procedures.  This is obvious. 

Overall, the SEC’s makes it clear from the three orders that it requires (1) good oversight especially over independent contractor representatives’ and offshore contractors’ email accounts; (2) reasonable measures to be taken to create policies and procedures that ensure timely mitigation should a breach occurs; (3) accuracy of client notification regarding the timing of when the actual breach occurred; and (4) utilization of all available safeguards (i.e. MFA). 

In each of the matters, the SEC found that the respondents were in violation of the Safeguards Rule and Section 206(4) of the Advisers Act and Rule 206(4)-7 and ordered that each respondent undertake remedial efforts and pay a civil money penalty ranging from $200,000.00 to $300,000.00. 

In order to prevent a similar situation, we suggest that you immediately review your relevant polices and procedure and to use all MFA in a manner to ensure maximum protection of customer PII. Should you need our assistance, please do not hesitate to call. 

This article does not in any way create an attorney-client relationship. This article should not be seen as legal advice. You should consult with an attorney before you rely on this information.