SEC Punishes RIA for Failing to Stop Cyber-Attack 

The SEC fined and sanctioned an investment adviser for failing to adopt policies and procedures reasonably designed to protect confidential client information from a hacker.  The SEC asserts that a foreign cyber-intruder gained access to customers’ names and social security information housed at its third party-hosted web server.  Although no clients suffered financial harm, the SEC charges the firm with violating the Safeguards Rule (Rule 30(a) of Regulation S-P) by failing to conduct periodic risk assessments, employing a firewall, encrypting client data, and establishing procedures to respond to a cybersecurity incident.  The Co-Chief of the SEC Enforcement Division’s Asset Management Unit, Marshall S. Sprung, said “As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients.”

OUR TAKE: Although it may be difficult/impossible to stop cyber-attacks especially at a third party, firms must adopt policies and procedures to create a legal defense that it did all that was reasonable despite an attack.  We expect that many firms will struggle with the costs and implementation of enhanced cyber-security.