SEC Fines Investment Adviser for Cybersecurity Failures

October 09, 2018

The United States Securities and Exchange Commission (SEC) has recently fined an Iowa-based investment adviser $1 million for alleged cybersecurity failures that led to a data breach that compromised the personal information of its clients. According to the SEC, information from over 5,600 of the investment adviser’s clients was obtained by criminals impersonating independent advisers. The SEC claims that the intruders gained access through weaknesses within the firm’s cybersecurity procedures. Some of these weaknesses had been exposed during previous fraudulent activity. The investment adviser allegedly failed to update and fix those issues.

It appears that this is the first time the SEC has had the chance to enforce its eight-year-old Identity Theft Red Flags rule, Rule 201 of Regulation S-ID (17 C.F.R. Sect. 248.201), for an investment adviser. This SEC rule requires that an investment adviser must implement a written program to detect, prevent and mitigate identity theft. The SEC alleges further that the investment adviser also violated Rule 30(a) of Regulation S-P which requires that a federally registered investment adviser adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.

The investment adviser has agreed to pay the $1 million fine and will retain an independent consultant to evaluate its policies and procedures for compliance with Regulation S-P and Identity Theft Red Flags Rule and related regulations.

RIA Compliance Consultants, Inc. has recently updated its cybersecurity sample forms. In our Cybersecurity – Best Practices Checklist, we have compiled a list of best practices intended to help an investment adviser with protecting its information systems and confidential information of its clients. More information about this sample form can be found here. We also provide other cybersecurity related forms such as Conducting Due Diligence of Cloud Computing Service Providers which can be viewed here, Cleaning Company – Acknowledgement of Background Checks which can be viewed here, Letter Notifying Client of Phishing Email which can be viewed here, GDPR Best Practices for Website which can be viewed here, and Cybersecurity – Employee Acknowledgement which can be viewed here. We encourage you to speak with your consultant about your cybersecurity policies and procedures. If you are not a client or RCC, please click here to set up an introductory call.

Posted by Grant Parr
Labels: Cyber Security, Cybersecurity, Enforcement, SEC