Rule 30(a) of Regulation S-P, better known as the Safeguards Rule, requires firms to adopt written policies and procedures to address the administrative, technical, and physical safeguards that are necessary to protect customer records and information. On August 30, 2021, the SEC settled three enforcement actions that charged firms with having deficient cybersecurity procedures. The actions alleged that the firms violated the Safeguards Rule, which exposed customers’ and clients’ confidential information to unauthorized third parties.
The Safeguards Rule obligates every Registered Investment Adviser (RIA), as well as every SEC-registered broker-dealer, to adopt written policies and procedures that are reasonably designed to (1) ensure the security and confidentiality of customer records and information; (2) protect against anticipated threats or hazards that may jeopardize the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that might result in substantial harm or inconvenience to any customer.
The SEC sanctioned a total of eight firms in the three actions, because they failed to implement strong cybersecurity policies and procedures. These failures resulted in email account takeovers, which exposed the personal information of thousands of brokerage customers and investment advisory clients. Several of the firms were dually registered. The SEC brought these actions, even though the account takeovers were not used for unauthorized trades or transfers.
Overview of the three enforcement actions
The first of the three enforcement actions was brought against a firm with multiple affiliated entities. The entities allegedly violated the Safeguards Rule, because their policies and procedures were not reasonably designed to prevent violations of Regulation S-P. According to the complaint, the cloud- based email accounts of over sixty individuals were taken over by unauthorized third parties. Due to this occurrence, the personally identifiable information (PII) of over 4,000 customers and clients was exposed. None of the accounts taken over were protected in a manner consistent with the entities’ policies and procedures.
The accounts were taken over using attack methods such as phishing and credential stuffing. According to the SEC, “credential stuffing is a means of gaining unauthorized access to accounts by automatically
entering large numbers of pairs of log-in credentials, typically a username or email address together with a password, that were obtained elsewhere.”
The RIAs charged in the first enforcement action were accused of violating Section 206(4) of the Investment Advisers Act and Rule 206(4)-7 thereunder. RIAs are required to adopt and implement written compliance policies and procedures that are reasonably designed to prevent violations of the Act and its rules by the adviser or its supervised persons. In particular, the RIAs failed to adopt and implement reasonably designed policies and procedures covering communications with advisory clients. This failure resulted in the RIAs sending breach notifications to the firms’ advisory clients that included misleading template language. The breach notifications gave clients the misimpression that the incidents occurred two months earlier. In fact, the entities had learned about the breach six months before clients were notified. Because of the delayed notification, clients did not have the opportunity to guard against misuse of their PII.
The entities’ compliance failures cost them $300,000 along with other sanctions. The enforcement action can be found here.
The SEC’s second enforcement action was brought against a broker-dealer and RIA whose representatives’ cloud-based email accounts were taken over by unauthorized third parties. As a result of the cyber-attack, the PII of over 2,000 customers and clients was exposed. In addition, there was potential exposure to another 3,800 customers. Although the first email account takeover occurred in January, 2018, the broker-dealer and the RIA did not adopt and implement enhanced security measures until 2021. Because they failed to make those changes, there was a significant risk that the PII of even more customers and clients could be exposed to unauthorized third parties.
The SEC imposed sanctions against the parties to the enforcement action, including a $250,000 fine. More details are available here.
In the third enforcement action, the SEC sanctioned a dually registered firm that failed to adopt written policies and procedures that were reasonably designed to safeguard customer and client records and information. According to the SEC’s order, the firm violated the Safeguards Rule. Between September 2018 and December 2019, the cloud-based email accounts of fifteen financial advisers or their assistants were taken over by unauthorized third parties. The firm’s compliance failures exposed the PII of nearly 5,000 customers and clients. The SEC also found that the firm failed to require additional firm-wide security measures until August 2020, which placed additional customer and client records and information at risk.
The SEC levied sanctions against the firm and ordered it to pay a penalty of $200,000. The SEC’s order can be reviewed here.
These three enforcement actions make it very clear that examiners will be scrutinizing RIAs’ compliance with Regulation S-P and the Safeguards Rule. Advisers should be bolstering their cybersecurity policies and procedures to guard against email account takeovers. Requiring multi-factor authentication, as well
as other tools, can bolster an RIA’s cybersecurity. Furthermore, prompt notification to clients can help to mitigate any additional harm that may occur.
It is not enough that RIAs implement policies and procedures. Firms must make sure those policies and procedures are adhered to by advisory personnel.
After reviewing these enforcement actions, RIAs should read a Risk Alert dealing with Regulation S-P that was published on April 16, 2019. The Risk Alert will help firms to adopt and implement effective policies and procedures intended to safeguard customer records and information in accordance with Regulation S-P. The Risk Alert is located here.
About RIA Compliance Group: RIA Compliance Group is an investment adviser compliance consulting firm based in Delray Beach, Florida. The firm’s mission is to provide affordable, timely, practical, and cost-effective compliance advice. We help investment advisers to comply with the myriad of state and SEC regulations and compliance obligations facing their firms. RIA Compliance Group takes pride in giving personal service and real world compliance advice, not theoretical concepts and legalese. The firm interacts on a daily basis with SEC and state securities regulators.
RIA Compliance Group, LLC – 701 SE 6th Ave, Suite 201, Delray Beach, FL 33483 – Tel: 561-600-0564 – firstname.lastname@example.org