A registered investment adviser agreed to settle SEC charges that it failed to adopt adequate cybersecurity policies and procedures reasonably designed to protect customer records and information as required by Rule 30(a) of Regulation S-P (the “Safeguards Rule”). Without admitting or denying the SEC’s findings, the investment adviser agreed to a censure, to cease and desist from future violations, and to appoint an information security manager to oversee its data security.

The SEC found that the adviser stored customers’ personally identifiable information (PII) on a third party-hosted webserver for almost four years without procedures to protect customer records and information. In July 2013, a hacker gained access and copy rights to the data. The SEC found that the adviser’s failure to adopt date security procedures left the PII of more than 100,000 individuals vulnerable to theft.

The investment adviser provides investment advice to individual retirement plan participants through an automated managed account option. To access the automated system, the adviser required prospective clients to log in using their names, birthdates and social security numbers. The adviser compared this information to PII provided to the adviser by retirement plan sponsors, which the adviser stored, unencrypted, on a third-party server.

In July 2013, the adviser discovered the potential data breach and retained more than one cybersecurity consulting firm to assess it. Although the consultants verified that an intruder gained full access and copy rights to the data, they were unable determine whether the PII stored on the server had been compromised. The consultants also determined that the intrusion originated from mainland China. The adviser provided notice of the breach to all individuals whose PII might have been compromised and offered them free identity monitoring through a third-party provider.

The Safeguards Rule requires investment advisers to adopt written policies and procedures that:

  • insure the security and confidentiality of customer records and information;
  • protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
  • protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to a customer.

The SEC found that the adviser’s procedures violated the Safeguards Rule because the adviser’s policies and procedures did not include:

  • conducting periodic risk assessments; 
  • employing a firewall to protect the web server containing client PII; encrypting client PII stored on the third-party server;or
  • establishing procedures to respond to a cybersecurity incident.

Although the adviser promptly took remedial steps, including appointing an information security manager to oversee its data security program and retaining a cybersecurity firm to provide ongoing reports and advice on the firm’s IT security, the SEC censured the adviser and ordered it to cease and desist from further violations of the Safeguards Rule. The adviser must also pay a civil money penalty of $75,000.

The settlement comes less than a week after OCIE announced its second round of cybersecurity examinations (see our related blog post here). OCIE’s examinations will focus on, among other things, management of third-party vendors and how advisers respond to suspected incidents. Advisers should carefully assess their written policies and procedures in light of the Safeguards Rule and OCIE’s new initiative.