Cross-border alert: SEC proceeding underscores need for proactive measures to address cybersecurity

On September 22, 2015, the US Securities and Exchange Commission (SEC) announced that an investment advisor firm had agreed to settle allegations that it failed to adopt written cybersecurity policies and procedures reasonably designed to safeguard customer information.

Background

The SEC enforcement action was prompted by an attack by an unknown intruder on the firm’s third-party-hosted web server, which resulted in the intruder gaining access rights and copy rights to personally identifiable information pertaining to over 100,000 individuals, including clients of the firm.

While the firm provided notice of the breach and offered free identity theft monitoring services to all affected individuals, took prompt remedial action to mitigate against the risk of future cyber threats, and there was no indication that any client suffered financial harm as a result of the attack, the SEC instituted administrative cease-and-desist proceedings, alleging the firm had failed for nearly a four-year period to adopt written policies and procedures reasonably designed to safeguard its clients’ personal information as required by the “Safeguards Rule.”

SEC Order

The Safeguards Rule under SEC Regulation S-P requires every investment advisor to adopt written policies and procedures to, among other things, protect against any anticipated threats or hazards to the security or integrity of customer records and information.

The SEC Order¹ asserts that the firm failed to adopt reasonable written policies or procedures for protecting clients’ information, including:

• Conducting periodic risk assessments;
• Implementing a firewall to protect the web server containing the client personal identifiable information;
• Encrypting client personal identifiable information stored on the web server; and
• Establishing procedures for responding to a cybersecurity incident.

The firm neither admitted nor denied those allegations, but agreed, among other things, to pay a civil monetary penalty in the amount of $75,000 to the SEC.

Take-away

The SEC’s action demonstrates its willingness to:

• Insist that firms adopt written policies and procedures that “anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs”;²
• Enforce and apply safeguard requirements to third-party web-based systems; and
• Take enforcement action notwithstanding an appropriate response to the breach and lack of evidence of identity theft or financial harm to clients.

The SEC Order further underscores the increasing focus of securities regulators on cybersecurity in relation to the integrity of the market system, client data protection, and disclosure of material information.

This enforcement proceeding is the latest, but not the sole illustration of US and Canadian securities regulators’ interest in cybersecurity. For example:

• In October 2011, the SEC’s Division of Corporation Finance issued guidance on existing disclosure obligations related to cybersecurity risks and incidents to assist public companies in framing disclosures regarding cybersecurity issues.³
• Canadian Securities Administrators’ CSA Staff Notice 11-326 (September  26, 2013) noted that, “[s]trong and tailored cyber security measures are an important element of issuers’, registrants’ and regulated entities’ controls in promoting the reliability of their operations and the protection of confidential information.”⁴
• The Financial Industry Regulatory Authority (FINRA) and the US Commodity Futures Trading Commission (CFTC) have each published cyber guidance.⁵
• SEC, FINRA, CFTC and Ontario Securities Commission (OSC) staff have each started to include cyber-specific questions in their ongoing reviews.⁶
• In June 2015, criminal and quasi-criminal charges were laid against a former sales representative of an investment firm for purchasing personal information stolen from a third party’s records for use in sales leads following an investigation by the OSC’s Joint Serious Offences Team.⁷

Footnotes

¹ http://www.sec.gov/litigation/admin/2015/ia-4204.pdf

² Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit, as quoted in SEC Press Release “SEC Charges investment Advisor With Failing to Adopt Proper Cybersecurity Policies and Procedures Prior to Breach” (September 22, 2015) http://www.sec.gov/news/pressrelease/2015-202.html

³ http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

⁴ http://www.osc.gov.on.ca/en/SecuritiesLaw_csa_20130926_11-326_cyber-security.htm

⁵ See http://www.finra.org/industry/2015-cybersecurity-report and http://www.cftc.gov/idc/groups/public/@lrlettergeneral/documents/letter/14-21.pdf

⁶ See for example SEC Office of Compliance Inspections and Examinations, “OCIE’s 2015 Cybersecurity Examination Initiative” (September 15, 2015) http://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf

⁷ https://www.osc.gov.on.ca/en/NewsEvents_nr_20150602_jsot-hospital-privacy-breach.htm