The U.S. Securities and Exchange Commission (SEC) continues to promote the importance of cybersecurity and protecting confidential investor information. On September 22, 2015 the SEC’s Office of Investor Education and Advocacy issued an Investor Alert regarding investment accounts if they become victims of identity theft or a data breach. This Investor Alert came one week after the SEC issued a Risk Alert on the topic of its Cybersecurity Exam Initiative (September 15, 2015).
Category Archives: Information Security
The SEC’s Cybersecurity Enforcement Action and Risk Alert
September 25, 2015
The Securities and Exchange Commission (SEC) had a busy week regarding investment adviser and broker-dealer cybersecurity. On September 15, 2015 the SEC’s Office of Compliance Inspections and Examination (OCIE) issued a Risk Alert on the topic of its Cybersecurity Examination Initiative. The Risk Alert provides information on the areas of focus for OCIE’s cybersecurity examination (more on this below). The SEC followed up its Risk Alert with an enforcement action against an investment adviser for a cybersecurity incident. The SEC censured the investment adviser and imposed a fine of $75,000. The SEC found that the investment adviser failed to adopt written policies and procedures reasonably designed to protect customer records and information, in violation of Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”).
When cybersecurity is covered in the industry press these days, there often is discussion about its importance but unfortunately a lack of specificity in what steps an investment adviser can take to improve information security and IT practices. Even the recent cybersecurity exam sweep results of the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (“SEC”) are somewhat difficult for investment advisers to interpret and translate into an information security plan; however, the SEC’s Office of Investor Education and Advocacy recently issued a bulletin giving investors tips on protecting their online accounts. These recommendations to help protect an investor’s online account from fraud appear to RIA Compliance just as applicable to an investment adviser devising its cybersecurity policies and practices.
Cybersecurity for Investment Advisers
October 28, 2014
In its Examination Priorities for 2014 notice the U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) indicated that technology would be one of the most significant initiatives in 2014. This focus on technology will include an assessment on an investment adviser’s cybersecurity preparedness. In April 2014, OCIE issued a National Exam Program Risk Alert to provide additional information regarding its focus on assessing cybersecurity preparedness in the securities industry. The Risk Alert discusses OCIE’s cybersecurity initiative and the registered investment adviser and broker-dealer examinations OCIE is conducting of as part of this initiative that will, at a minimum, focus on the following:
RIA Compliance Consultants recently hosted a webinar, Establishing Information Security Programs for Registered Investment Advisors. During this webinar, our compliance consultant discussed the regulatory requirements for establishing an information security program and then went into a detailed discussion on how a registered investment advisor can establish an information security program that effectively protects its client data.
September 12, 2012
Under Rule 30 of Regulation S-P, registered investment advisers are required to implement a written security program to safeguard customer information. Specifically, investment advisers are required to have in place an information security program that is reasonably designed to:
September 05, 2012
As we have previously discussed, Rule 30 of Regulation S-P (“Regulation S-P”) issued by the U.S. Securities and Exchange Commission (“SEC”) requires SEC registered investment advisers to adopt written policies and procedures designed to ensure the security and confidentiality of client information. For state registered investment advisers, the Federal Trade Commission (“FTC”) has enacted Safeguard Rules which are similar to Regulation S-P and apply to state registered investment advisers. Additionally some states have enacted their own information security requirements that apply to SEC and state registered investment advisers.
Investment advisers must protect records that contain certain clients’ non-public, personal information. In efforts to safeguard client records and information, investment advisers should have in place a written information security plan. The main purpose of developing and implementing a strong written information security plan is to make sure that investment advisers have written policies and procedures in place to protect clients’ personal information. Investment advisers’ information security written policies and procedures must be reasonably designed to ensure the security and confidentiality of client records and information and to protect such records and information against any anticipated threats, hazards or unauthorized access or use.
Investment Advisers must have Procedures in Place to Safeguard Client Records and Information
August 22, 2012
Pursuant to Rule 30 of Regulation S-P (“Regulation S-P”), investment advisers registered with the U.S. Securities and Exchange Commission (“SEC”) “…must adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These policies and procedures must be reasonably designed to:
Based upon the formal and informal expectations of state and federal securities regulators, every investment adviser should consider developing a written information security plan. Rule 30 of Regulation S-P issued by the U.S. Securities and Exchange Commission (“SEC”) requires SEC registered investment advisers to adopt written policies and procedures designed to ensure the security and confidentiality of client information. The enforcement of Rule 30 was highlighted by a recent SEC enforcement action against an investment adviser who had their trading system hacked. A year before the hacking occurred, an internal audit showed that the adviser did not utilize strong passwords. When the hacking occurred a year later, the investment adviser had taken no action to increase password security. Thus, the adviser was fined $275,000 for failing to safeguard customer information.