
Publication
Essential Corporate News – Week ending 11 July 2025
On 1 July 2025, the Quoted Companies Alliance (QCA) published three new board committee guides to accompany the QCA Environmental and Social Guide published in December 2024.
Global | Publication | September 2015
On September 22, 2015, the US Securities and Exchange Commission (SEC) announced that an investment advisor firm had agreed to settle allegations that it failed to adopt written cybersecurity policies and procedures reasonably designed to safeguard customer information.
The SEC enforcement action was prompted by an attack by an unknown intruder on the firm’s third-party-hosted web server, which resulted in the intruder gaining access rights and copy rights to personally identifiable information pertaining to over 100,000 individuals, including clients of the firm.
While the firm provided notice of the breach and offered free identity theft monitoring services to all affected individuals, took prompt remedial action to mitigate against the risk of future cyber threats, and there was no indication that any client suffered financial harm as a result of the attack, the SEC instituted administrative cease-and-desist proceedings, alleging the firm had failed for nearly a four-year period to adopt written policies and procedures reasonably designed to safeguard its clients’ personal information as required by the “Safeguards Rule.”
The Safeguards Rule under SEC Regulation S-P requires every investment advisor to adopt written policies and procedures to, among other things, protect against any anticipated threats or hazards to the security or integrity of customer records and information.
The SEC Order1 asserts that the firm failed to adopt reasonable written policies or procedures for protecting clients’ information, including:
The firm neither admitted nor denied those allegations, but agreed, among other things, to pay a civil monetary penalty in the amount of $75,000 to the SEC.
The SEC’s action demonstrates its willingness to:
The SEC Order further underscores the increasing focus of securities regulators on cybersecurity in relation to the integrity of the market system, client data protection, and disclosure of material information.
This enforcement proceeding is the latest, but not the sole illustration of US and Canadian securities regulators’ interest in cybersecurity. For example:
1 http://www.sec.gov/litigation/admin/2015/ia-4204.pdf
2 Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit, as quoted in SEC Press Release “SEC Charges investment Advisor With Failing to Adopt Proper Cybersecurity Policies and Procedures Prior to Breach” (September 22, 2015) http://www.sec.gov/news/pressrelease/2015-202.html
3 http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
4 http://www.osc.gov.on.ca/en/SecuritiesLaw_csa_20130926_11-326_cyber-security.htm
5 See http://www.finra.org/industry/2015-cybersecurity-report and http://www.cftc.gov/idc/groups/public/@lrlettergeneral/documents/letter/14-21.pdf
6 See for example SEC Office of Compliance Inspections and Examinations, “OCIE’s 2015 Cybersecurity Examination Initiative” (September 15, 2015) http://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf
7 https://www.osc.gov.on.ca/en/NewsEvents_nr_20150602_jsot-hospital-privacy-breach.htm
Publication
On 1 July 2025, the Quoted Companies Alliance (QCA) published three new board committee guides to accompany the QCA Environmental and Social Guide published in December 2024.
Publication
In the two years since our last climate litigation update, the prevalence and variety of global climate litigation around the world has continued to increase.
Publication
Selon un rapport conjoint du Bureau du surintendant des institutions financières (BSIF) et de l’Agence de la consommation en matière financière du Canada (ACFC), environ 70 % des institutions financières fédérales prévoient utiliser l’IA d’ici 2026 .
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2025