On September 26, 2018, the Securities and Exchange Commission ("SEC") Division of Enforcement announced that it settled claims with a registered investment adviser ("RIA") firm that "agreed to pay $1 million to settle charges related to its failures in cybersecurity policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers." In particular, the SEC charged the advisory firm with "violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft." This recent enforcement action is of particular note as it was the first SEC enforcement action to charge a firm with violations of the Identity Theft Red Flags Rule.
In recent years, there have been a growing number of SEC enforcement cases related to investment adviser cybersecurity including a settlement on September 22, 2015 when a RIA firm "agreed to settle charges that it failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients." In that particular case, the SEC investigation found that the firm violated the Safeguards Rule "during a nearly four-year period when it failed to adopt any written policies and procedures to ensure the security and confidentiality of PII and protect it from anticipated threats or unauthorized access."
Learning from the Recent SEC Cybersecurity Enforcement Action
When reviewing the cybersecurity-related SEC order from September 26, 2018 which charged the advisory firm with violating both the Safeguards Rule and Identity Theft Flags Rule, the Chief Compliance Officer and principals of all federal and state-registered investment advisory firms should consider the following:
- While the issues identified in the order relate to inadequate technical controls, training, policies and procedures, and series of other related miscues, the root of the breach which led to the exposure of personal information for thousand of customers likely started with a social engineering-type hack that first targeted individual advisor representatives of the firm and then the firm's technical support staff. As we have continued to stress, often the greatest cybersecurity risk for any RIA firm is its human staff.
- In regards to the Safeguards Rule, the SEC alleged the firm "violated the Safeguards Rule because its policies and procedures to protect customer information and to prevent and respond to cybersecurity incidents were not reasonably designed to meet these objectives." Furthermore, a number of the firm's "cybersecurity policies and procedures were not reasonably designed to be applied to its contractor representatives."
- As it relates to preventing identity theft, although the firm "adopted a written Identity Theft Prevention Program in 2009," the SEC alleged that the firm still violated the Identity Theft Red Flags Rule "because it did not review and update the Identity Theft Prevention Program in response to changes in risks to its customers or provide adequate training to its employees. In addition, the Identity Theft Prevention Program did not include reasonable policies and procedures to respond to identity theft red flags."
Cybersecurity considerations aside, this enforcement case is also a classic reminder to RIA firms that while establishing an initial set of policies and procedures is a key first step in implementing a compliance program, simply establishing such policies and procedures is not enough. Firms need to regularly review policies and procedures and also provide sufficient training to staff members.
In addition, this enforcement case also highlights that RIA firms need to ensure that information security policies and procedures and training procedures are specific enough to properly respond to and mitigate a cybersecurity breach. In particular, the SEC alleged that "although incident response procedures required in general terms that potentially compromised user accounts be disabled or the relevant applications be shut down to prevent additional compromise," the firm's "policies and procedures were not reasonably designed to accomplish these directives." In particular, the firm's information technology security staff "who were responsible for responding to security incidents, were not provided with adequate training." As a result, the staff inaccurately believed they had mitigated the issue when in fact the procedures they took did not stop the ongoing cybersecurity incident. In addition, the SEC alleged that proper procedures were not implemented to ensure that breach information was shared across other groups at the firm which could have helped to mitigate further damage.
More RIA Cybersecurity Enforcement Action is on the Horizon
For a number of years, the SEC Office of Compliance Inspections and Examinations ("OCIE") has continued to highlight its cybersecurity-focused regulatory examination initiatives. These efforts have include the OCIE Division issuing a series of information security-related risk alerts on February 3, 2015, September 15, 2015, and August 7, 2017. In addition, the OCIE Division has continually listed cybersecurity as a top examination priority in recent years including in 2017 and 2018.
In its 2018 fiscal year enforcement report, the SEC Enforcement Division notes it has "more than 225 cyber-related investigations ongoing." Putting aside the two enforcement actions highlighted above, to date there have not been a large number of investment adviser cybersecurity-related enforcement actions. However, this seems likely to change moving forward given the continued audit focus and significant volume of ongoing investigations.
RIA in a Box LLC is not a law firm, investment advisory firm, or CPA firm. RIA in a Box LLC does not provide legal advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel if applicable.