SEC Sanctions Registered Investment Advisers and Broker-Dealers for Cybersecurity Failures

The U.S. Securities and Exchange Commission (SEC) announced that it sanctioned eight firms in three separate actions for failure to establish and implement cybersecurity policies and procedures. These failures resulted in multiple instances of criminal email account takeovers causing personally identifiable information (PII) from thousands of customers and clients to be exposed.

The SEC announcement cites violation of Rule 30(a) of Regulation S-P (the Safeguards Rule), which is designed to protect confidential customer information and violation of Section 206(4) of the Advisers Act and Rule 206(4)-7 in connection to misleading breach notifications.

The first SEC order fined firms for a failure to implement security policies and their subsequent provision of misleading information in their breach notification. The breaches occurred between 2017 and 2020 and consisted of 60 staff cloud-based email account take overs resulting in PII of over 4,000 individuals being exposed.

The second SEC order relates to 121 staff cloud-based email account take overs between 2018 and 2021, during which PII of over 2,100 individuals was exposed. The order cites failure to implement security policies on those accounts until 2021, despite knowledge of the incidents as far back as 2018.

The third SEC order cites failure to adopt written security policies and procedures until May 2020, and not implementing them until August 2020, despite 15 cloud-based email accounts being taken over between 2018 and 2019, exposing PII of over 4,900 individuals.

The firms agreed to prevent further violations of the charged provisions, to accept censure, and to pay fines between $200,000 and $300,000.

ACA guidance

The SEC announcement points specifically to the need to not only devise cybersecurity policies and procedures, but especially to enforce them internally. As indicated in this release, failure to do so can lead to exposure of client PII and SEC orders calling out issues for public censure and fines.

The SEC announcement likewise highlights the need to strengthen cybersecurity in relation to email and other data protection (e.g., via implementing multi-factor authentication), and to shore up protections regarding cloud services. It is important to note that all of the firms involved in this SEC action suffered email account takeovers in cloud environments, indicating the need for assessments of and improvements in cloud security configurations.

The announcement further reinforces the fact that registered investment advisers and broker-dealers, no matter how big or small, are not exempt from SEC cybersecurity scrutiny. Governance, access controls, data loss prevention, vendor management, cyber training, and incident response are all still very much in focus; perhaps even more so considering these areas are in-scope at an adviser’s connected partners. Additionally, private equity firms remain under further scrutiny as to how they oversee cyber concerns at their portfolio companies.

How we help

ACA Aponix^® provides the following services that can help firms develop and implement cybersecurity programs in compliance with SEC requirements, assess and protect their cloud environments, and in general protect assets and investors.  

• Operational resilience and governance
• Risk assessments and regulatory compliance testing services, including Microsoft^® Office 365^® and cloud assessments
• Threat intelligence, phishing testing and monitoring
• Portfolio company due diligence (pre- and post-deal)
• Cyber maturity assessments

Download our Aponix Protect^™ cybersecurity solution brochure.

If you have any questions, please contact your ACA Aponix consultant or contact us here.