SEC Charges Investment Adviser With Failing to Protect Clients Information

An investment adviser agreed to settle charges with the SEC that the adviser violated Regulation S-P by failing to establish cybersecurity policies and procedures. The adviser was the victim of a security breach by a hacker who obtained the personally identifiable information ("PII") of approximately 100,000 individuals, including thousands of the adviser's clients.

The SEC found that the investment adviser violated the so-called "safeguards rule" during a nearly four-year period when it failed to adopt any written policies and procedures to ensure the security and confidentiality of PII and protect it from anticipated threats or unauthorized access. The SEC elaborated that the firm failed to adopt written policies to require: (i) the conduct of periodic risk assessments, (ii) implementation of a firewall, (iii) encryption of PII stored on its server, or (iv) maintenance of a response plan for cybersecurity incidents.

Co-Chief of the SEC Enforcement Division's Asset Management Unit, Marshall S. Sprung, remarked that "Firms must adopt written policies to protect their clients' private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs."