After repeated warnings to Registered Investment Advisers (“RIAs”) regarding the importance of protecting their clients from cyber threats, the SEC sent an even clearer message to advisory firms. On September 22, 2015, the SEC charged an RIA with failing to adopt written policies and procedures designed to protect customer records and information. The RIA was accused of violating Rule 30(a) of Regulation S-P, better known as the Safeguards Rule. The Safeguards Rule was adopted in 2000 and amended in January 2005.
The RIA, which is based in St. Louis, Missouri, agreed to settle the charges. From at least September 2009 through July 2013, the RIA stored sensitive personally identifiable information of clients and other persons on its third party-hosted web server without adopting written policies and procedures to guard it. In July 2013, the web server was attacked. The breach compromised the personally identifiable information of approximately 100,000 individuals, including thousands of clients.
RIAs must adopt written policies and procedures that are reasonably designed to protect customer records and information. Among other lapses, this RIA failed to:
- Conduct periodic risk assessments;
- Install a firewall;
- Encrypt personally identifiable information stored on its server; and
- Maintain a response plan for dealing with cybersecurity incidents.
After discovering the breach, the RIA promptly retained several cybersecurity consulting firms to confirm that it was attacked. The RIA notified every affected individual in a timely manner and offered free identity theft monitoring through a third-party provider.
Without admitting or denying the SEC’s findings, the RIA agreed to cease and desist from committing or causing future violations of the Safeguards Rule. The RIA also agreed to be censured and pay a $75,000 penalty, even though no clients were harmed by the breach. To mitigate the risk of future cyber attacks, the RIA appointed an information security manager to oversee data security. It also adopted and implemented a written information security program. The RIA no longer stores personally identifiable information on its web server. Information of this kind on its internal network is now encrypted. In addition, the firm installed a new firewall and logging system to prevent and detect malicious incursions. It also hired a new cybersecurity firm.
In a press release, Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit, stressed the importance of enforcing the Safeguards Rule, “even in cases like this one where there is no apparent financial harm to clients.”According to Sprung, “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
The enforcement action can be found at: http://www.sec.gov/litigation/admin/2015/ia-4204.pdf.
About RIA Compliance Group: RIA Compliance Group is an investment adviser compliance consulting firm based in Boca Raton, Florida. The firm’s mission is to provide affordable, timely, practical, and cost-effective compliance advice. We help investment advisers to comply with the myriad of state and SEC regulations and compliance obligations facing their firms. RIA Compliance Group takes pride in giving personal service and real world compliance advice, not theoretical concepts and legalese. The firm interacts on a daily basis with SEC and state securities regulators.
RIA Compliance Group, LLC – 5301 North Federal Highway, Suite 380, Boca Raton, FL 33487 – Tel: 561-600-0564 – Email: firstname.lastname@example.org.