News & Insights

SEC Charges Adviser for Lacking Cybersecurity Procedures

SEC Charges Adviser for Lacking Cybersecurity Procedures

WHAT HAPPENED?

On September 26th, 2018, the Securities and Exchange Commission (SEC) announced its charges against a broker-dealer and registered investment adviser (RIA) for its failure to provide adequate cybersecurity policies and procedures.

The RIA has agreed to pay $1 million to settle its charges surrounding a cyber penetration that compromised the personal information of thousands of clients.

The SEC’s order stated, in 2016, cyber intruders impersonated the RIA’s contractors for six days.  The intruders called the RIA’s client support line, requested password resets, gained access to personal client information, and created new online client profiles.  For three clients, the intruders were also able to obtain personal account documents.

According to the SEC, the RIA’s failure to detect and abort the cyber intruders was a result of its “weakness in cybersecurity procedures.”

Furthermore, the RIA failed to supply adequate policies and procedures to the systems used by its independent contractors, the largest part of their workforce.

WHAT DOES THIS MEAN FOR ME?

The Safeguards Rule and Identity Theft Red Flags Rule, regulated by the Federal Trade Commission, are designed to protect confidential client information from identity theft.  This is the first SEC enforcement action for violations of the Identity Theft Red Flags Rule.

The Chief of the SEC Enforcement Division’s Cyber Unit, Robert A. Cohen, reminds us that brokers and investment advisers alike should have cybersecurity procedures “reasonably designed to fit their specific business model needs.”

For more information about this case or about your Cybersecurity policies and procedures, please reach out to Fairview directly.

Sources: https://www.sec.gov/news/press-release/2018-213

https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/safeguards-rule

https://www.ftc.gov/tips-advice/business-center/privacy-and-security/red-flags-rule