SEC Sanctions Firms over Cybersecurity Incident Responses

The SEC brought sanctions against three firms (and related entities) registered as broker-dealers, investment advisers, or both, for cybersecurity failures. Between 2017 and 2021 each firm experienced breaches of multiple cloud-based email accounts that were taken over by unauthorized third parties. The number of compromised accounts ranged from over a dozen to over 100. At each firm, client Personal Identifiable Information (“PII”) was allegedly exposed.

The SEC’s findings included violations of Rule 30(a) of Regulation S-P (the Safeguards Rule), Section 206(4) of the Advisers Act and Rule 206(4)-7 (the Compliance Rule). Each firm agreed to cease and desist as well as a censure and penalties ranging from $200,000 to $300,000.

While the breach elements were common among the firms, other elements of the findings are more telling in driving the SEC’s enforcement actions.  The actions noted:

  • • Accounts were not protected in a manner consistent with firm policies;
  • • Policies and procedures failed to include timely firm-wide security measures
  • • Security measures were not implemented timely for cloud-based email accounts subsequent to breaches being detected; and
  • • Client disclosures regarding breaches included misleading language that suggested the notifications followed discovery of the breaches much sooner than they actually did.

The findings point to a repeating theme in SEC cybersecurity enforcement cases. It is not that there is an expectation that breaches can be 100% prevented, but that firms will have a well-designed plan for a response, and that that plan will be followed. In each of these cases, there was a weakness in the plan (policies and procedures) and/or in the response.

Response plans should include role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.  Remediation should naturally follow closely on the discovery of a breach.

All firms still should periodically test their vulnerability and assess additional measure to remediate those vulnerabilities identified so breaches can be prevented.

In the release, Kristina Littman, Chief of the SEC Cyber Unit, noted “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

Below we are including links for those that are interested in reading more on this topic.  If you have questions on how to be sure your firm is compliant and meeting regulatory expectations, please feel free to call us.