An SEC registered investment adviser was recently sanctioned by the SEC (see Investment Advisers Act Release No. 4204, September 22, 2015) for failure to have in place adequate cybersecurity policies and procedures that may have warded off a cybersecurity attack that resulted in the compromise of private consumer information of approximately 100,000 individuals.
Regulation S-P under the Securities Act of 1933 requires investment advisers, among others, to adopt written policies and procedures reasonably designed to protect customer records and information.
According to the SEC’s complaint, the adviser, during the period from September 2009 up to the date of the cyberattack (i.e., July 2013), stored personally identifiable information of approximately 100,000 individuals, including thousands of its clients on a third party-hosted web server. In July 2013, an unknown hacker (believed to be located in China) gained access to the data hosted in the server. Up until then, the adviser had no written policies and procedures in place designed to safeguard customer information. The adviser failed to perform even the most basic requirements to protect customer information such as the conducting of periodic assessments, implementing a firewall, utilizing encryption, or having a response plan for cybersecurity incidents.
One thing in the adviser’s favor was the apparent quick remedial action taken after the cybersecurity attack became known. Among other things, the adviser promptly engaged consulting firms to determine the extent of the attack and measures to prevent such an attack from reoccurring, and to alert all persons whose private information was compromised and the offer of free identity theft monitoring.
The adviser agreed to a settlement of the enforcement matter with the SEC which imposed a $75,000 penalty and order of censure. The sanctions imposed by the SEC in this matter may have been more severe if it was not for the adviser’s prompt remedial actions once the cyberattack was detected.