On September 22, 2015, the US Securities and Exchange Commission (“SEC”) brought and settled charges against a registered investment adviser (the “RIA”) for violations of the Gramm-Leach-Bliley Act’s “safeguards rule” adopted under Regulation S-P.1 These violations occurred immediately prior to a cybersecurity breach of the RIA’s systems, in which the hackers may have obtained personally identifiable information (“PII”) of 100,000 individuals.
In 2000, the SEC adopted the safeguards rule as part of Reg. S-P, which requires that every investment adviser registered with the Commission adopt policies and procedures reasonably designed to: (i) ensure the security and confidentiality of customer records and information; (ii) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (iii) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.2 The federal banking agencies and the Federal Trade Commission (“FTC”) have adopted similar rules.
The RIA required prospective customers to submit their names, dates of birth, and Social Security numbers to its website to verify that they were eligible participants of the retirement plan for which the RIA provided managed account services. The website was hosted on a third-party server and contained PII on the RIA’s 8,000 clients, in addition to validation information on the 100,000 eligible participants of the retirement plan. All data was stored in unencrypted formats on the server, and at the time, the RIA had not adopted written policies and procedures regarding the security and confidentiality of that information and the protection of that information from anticipated threats or unauthorized access.
The third-party server was in operation from September 2009 until July 2013. In July 2013, the RIA discovered that unknown hackers, potentially from China, had obtained access to the data on the server. A subsequent investigation indicated that the hackers had full access to the data on the server, but that they may not have downloaded the PII. In addition to the internal investigation, the RIA notified all individuals whose PII was stored on the server of the data breach, and it does not appear that any clients suffered financial harm from the breach.
The SEC found that the RIA failed to adopt written policies and procedures to protect its clients’ PII, which it was required to do under Reg. S-P. As a result of the settled proceeding, the RIA was ordered to cease and desist from further violations of the safeguards rule, censured, and fined $75,000.
In addition to the deterrent effect of the RIA’s penalty, the SEC took the opportunity to remind customers of the need to protect their information in the event of a data breach.3 Specifically, it encouraged customers who believe that their data may have been compromised to:
- Contact their investment firm and other financial institutions immediately.
- Change their online account passwords.
- Consider closing compromised accounts.
- Activate two-step verification, if available.
- Monitor their investment accounts for suspicious activity.
- Place a fraud alert on their credit file.
- Monitor their credit reports with the three credit bureaus.
- Consider filing an Identity Theft Report with the FTC.
- Document all communications in writing.
This case is the latest in a trend of cybersecurity initiatives by the SEC. It follows from the Office of Compliance Inspections and Examinations’ recently announced 2015 cybersecurity initiative.4 Investment advisers should take this as further notice that the SEC expects them to have fully documented cybersecurity policies and procedures as part of their compliance procedures under Regulation S-P if they have client PII on their systems.5 In addition, investment advisers should verify that their existing policies and procedures have been implemented and are subject to regular testing. Moreover, advisers should also consider implementing other safeguards (e.g., two-factor authentication) and providing customer education to help protect customer information.
1 In the Matter of R.T. Jones Capital Equities Management, Inc., Rel. No. IA-4204 (September 22, 2015).
2 Privacy of Consumer Financial Information (Regulation S-P), Rel. No. IA-1883, 65 Fed. Reg. 40,334 (June 29, 2000) (codified at 17 C.F.R. §248.30(a)).
3 Investor Alert: Identity Theft, Data Breaches and Your Investment Accounts (September 22, 2015), available at, http://www.sec.gov/oiea/investor-alerts-bulletins/ia_databreaches.html; see also OCIE and FINRA Announce the Results of Cybersecurity Initiatives (March 25, 2015), available at, https://www.mayerbrown.com/OCIE-and-FINRA-Announce-the-Results-of-Cybersecurity-Initiatives-03-25-2015/.
4 Risk Alert: OCIE’s 2015 Cybersecurity Examination Initiative (September 15, 2015), available at, http://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf.
5 US Securities and Exchange Commission Division of Investment Management Issues Guidance on Cybersecurity (May 28, 2015), available at, https://www.mayerbrown.com/US-Securities-and-Exchange-Commission-Division-of-Investment-Management-Issues-Guidance-on-Cybersecurity-05-28-2015/.
The full and original memorandum was published by Mayer Brown on September 23, 2015 and is available here.