Earlier this week, the US Securities and Exchange Commission announced that it had taken enforcement action against an investment advisory firm that failed to take appropriate cyber security measures regarding customer data. In its press release, the SEC stated that:
“As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients. Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cyber security events and have clear procedures in place rather than waiting to react once a breach occurs.”
The full SEC announcement is available here.
This is a significant, but not surprising, development. This follows the SEC’s recent announcement of a renewed initiative to examine broker dealers concerning cybser security risk, which you can read about here. We have been monitoring the growing legal and regulatory issues presented by cyber security and expect to see greater enforcement risk both within and beyond the United States.