InfoBytes Blog
SEC Penalizes Investment Adviser over Inadequate Cyber-Risk Program Prior to Data Breach
On September 22, the SEC ordered a Missouri-based investment adviser to pay a $75,000 penalty, settling allegations that the investment adviser failed to implement required written cybersecurity policies and procedures prior to a data breach affecting the firm’s clients. According to the SEC, in July 2013, the investment adviser’s third party-hosted web server was hacked by a then unknown source compromising the personally identifiable information of more than 100,000 individuals. Subsequent investigations determined that the breach originated in China, and, to date, the firm’s clients have suffered no financial injury. In addition to the $75,000 penalty, the firm was censured and agreed to cease and desist from committing or causing any future violations of the Safeguards Rule.
To coincide with the announcement, the SEC also issued an Investor Alert, “Identity Theft, Data Breaches, and Your Investment Accounts,” which provides actions retail investors can take to protect their investment accounts in the event of a data breach or identity theft.