Almost daily, headlines are peppered with reports of hackers breaching the cyber defenses of major institutions and governmental bodies, garnering information that could seriously compromise not only the financial well-being of countless individuals but also the financial stability of the nation. Even governmental bodies such as the U.S. Office of Personnel Management are susceptible to unwanted intrusions.  If the main custodian of the United States government’s most important personnel information can be hacked, who is not at risk?
In order to provide a framework to help ensure that customer information is protected, the Securities and Exchange Commission (“SEC”) promulgated Regulation S-P (Privacy of Consumer Financial Information)  in 2000, pursuant to the Gramm-Leach-Bliley Act (“the Act”).  Regulation S-P affects registered investment advisers, brokers, dealers, and investment companies that are subject to SEC regulation.
A recent SEC settlement ordered an investment adviser registered under the Investment Advisers Act of 1940 to cease and desist from committing or causing any violations of Rule 30(a) of Regulation S-P and imposed a $75,000 fine. Rule 30(a), otherwise known as the Safeguard Rule, requires “every broker, dealer, and investment company, and every investment adviser registered with the [SEC] must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”  The settlement release provides some vital insight into how the SEC is currently addressing the threats posed to cybersecurity. The adviser was the subject of a breach in July 2013 that resulted in the compromise of personally identifiable information (“PII”) – the name, date of birth and social security number – of more than 100,000 individuals. After finding out that the security of its third party-hosted web server was compromised in such a way as to allow an intruder to gain full access rights and copy data stored on the server, the adviser promptly retained multiple cybersecurity consulting firms to assess the depth of the breach. The resulting investigation uncovered (as of the settlement release date) no information indicating that a client had suffered financial harm as a result of the cyber-attack. All individuals whose PII may have been compromised were notified, and they were offered free identity monitoring. Regardless, the SEC found that the adviser had failed to adopt written policies and procedures reasonably designed to safeguard customer information. In particular, the adviser neglected to conduct periodic risk assessments, employ a firewall, encrypt client PII, or establish sufficient written procedures for responding to a cybersecurity incident.
In addition to finding advisory firms liable for inadequate policies and procedures, the SEC has found individual executives personally liable for their firms’ cybersecurity shortfalls. In the GunnAllen settlement, the SEC held that the president and the national sales manager had violated customer privacy rules by improperly transferring customer records to another firm. In addition, the CCO was found to be liable for failing to ensure that the firm’s policies and procedures were reasonably designed to safeguard confidential customer information.  Each executive was fined, censured and ordered to cease and desist from further violations.
The SEC is certainly making cybersecurity a priority.  Multiple releases of the OCIE priorities, some of which may be found here, here, and here, discuss the initiatives the SEC has instituted in furtherance of a robust cybersecurity framework. In the absence of an actual cyber-attack, the SEC’s initial focus will most likely be on the firms with the largest customer base. The attention of SEC investigations will eventually trickle down to smaller firms, who generally have fewer resources for implementing the requisite policies and procedures. That being said, a review is possible at any time for any size firm. Regardless of the size of the entity, the SEC wants firms to know that they are on notice, and robust policies, procedures and programs must be in place to protect the confidentiality of customer records.
While you may not be able to stop every possible attack, the least you can do is to be prepared to protect your firm and make sure that you comply with the applicable regulatory mandates.
From its roots in representing individuals and companies in the trading industry, Ziliak Law has grown into a firm that provides a broad range of legal services to businesses and entrepreneurs. When hedge funds, mutual funds, commodity pool operators, and proprietary trading groups have legal questions, Ziliak Law provides solutions that reflect experience on both the legal and operational sides of the trading industry. And when startups and entrepreneurs face challenges with forming and funding new ventures, protecting intellectual property, and navigating the day-to-day legal questions that arise while running a business, Ziliak Law delivers experienced insight through attorneys with MBAs and backgrounds in software development, big-firm law, government, regulation, and investment banking. https://www.opm.gov/news/releases/2015/06/opm-to-notify-employees-of-cybersecurity-incident/.  17 C.F.R. part 248 subpart A.  See Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act) section 504, codified at 15 U.S.C. § 6804.  17 C.F.R. § 248.30(a).  https://www.sec.gov/news/press/2011/2011-86.htm.  For additional information, please see this Ziliak Law analysis.
Latest posts by Matthew Tobin (see all)
- Advisers, Cybersecurity, and Regulation - October 6, 2015
- Supreme Court’s Key Jurisdictional Question in Manning v. Merrill Lynch Pierce Fenner & Smith Inc. - September 1, 2015