Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

SEC takes action against firms for cybersecurity procedures

Securities Privacy/Cyber Risk & Data Security Enforcement SEC Investigations Safeguards Rule

Securities

On August 30, the SEC announced sanctions against eight firms in three actions for alleged failures in their cybersecurity policies and procedures that resulted in email account takeovers of employee email accounts, which exposed the personal information of thousands of customers and clients at each firm. Each order finds that the firms violated Regulation 30(a) of the Safeguards Rule, “which requires every broker-dealer and every investment adviser registered with the Commission to adopt written policies and procedures that are reasonably designed to safeguard customer records and information.” According to the SEC’s first order against a California-based investment firm, from November 2017 to June 2020, cloud-based email accounts of more than 60 of the firm’s entities' personnel were taken over by unauthorized third parties, which resulted in the exposure of personally identifying information (PII) of over 4,388 customers and clients. According to the order, none of these accounts were protected by multi-factor authentication (MFA), even though the firm’s policies required use of MFA since 2018 “wherever possible.” This failure resulted in sending breach notifications to clients that included misleading template language, which suggested that the notifications were issued much sooner than they actually were after discovery of the incidents. The order, which the company consented to without admitting or denying the findings, imposes a civil money penalty of $300,000, and provides that the company must cease and desist from committing or causing any future violations of the Safeguards Rule.

According to the SEC’s second order against an Iowa-based investment firm, from January 2018 to July 2021, cloud-based email accounts of over 121 of the firm’s representatives were taken over by unauthorized third parties, which resulted in the PII exposure of at least 2,177 customers and clients. The order finds that though the firm discovered the first email account takeover in January 2018, it failed to adopt written policies and procedures for cloud-based email accounts reasonably designed to protect customer records and information, such as the use of MFA. The order, which the company consented to without admitting or denying the findings, imposes a civil money penalty of $250,000, and provides that the company must cease and desist from committing or causing any future violations of the Safeguards Rule.

According to the SEC's third order against a Washington-based investment firm, from September 2018 to December 2019, cloud-based email accounts of 15 of the firm’s financial advisers or their assistants were taken over by unauthorized third parties, which resulted in the PII exposure of approximately 4,900 customers and clients. The order also finds that the firm “failed to adopt written policies and procedures requiring additional firm-wide security measures for all [of the firm’s] email users until May 2020, and did not fully implement those measures until August 2020,” which placed additional customer and client records and information at risk. The policies recommended, but did not require, the use of MFA for accessing sensitive data. The order, which the company consented to without admitting or denying the findings, imposes a civil money penalty of $200,000, and provides that the company must cease and desist from committing or causing any future violations of the Safeguards Rule.