The U.S. Securities and Exchange Commission (“SEC”) recently identified cyberthreats as an enforcement priority (see 2021 Examination Priorities). Within months of the Commission’s announcement, the Commission brought three enforcement actions* which resulted in sanctions against eight investment advisory firms who failed to report cyber related attacks, failed to adopt, or failed to implement proper cybersecurity policies in violation of Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”).**
In each of the three matters, the various firms had their email accounts compromised causing customer data – including personal identifiable information – to be exposed. A common thread tying the breaches together was that the firms’ compromised email accounts failed to comply with firm policy (i.e., did not implement multi-factor authentication despite policy requirements or recommendations to implement)*** and the firms’ respective responses to the breaches were insufficient according to the Commission. In exchange for agreeing to cease and desist from future violations of the charged provisions, the firms paid penalties of between $200,000 to $300,000.
A mid-year report on the state of cybercrime, conducted by a cyber investigation response team, revealed that over 70% of ransomware attacks targeted organizations with over $1 billion in revenue.**** In addition, a recent survey conducted by the U.S. Small Business Administration found that “88% of small business owners felt their business was vulnerable to a cyberattack.”***** These statistics suggest that cybercriminals more often take a “go big or go home” approach presumably to secure a maximum ransom payment through each cyberattack. And so, it is crucial that companies focus on having and implementing cybersecurity policies, such as (a) an Incident Response Plan, which outlines instructions on how to respond to and resolve data breaches; and (b) a Cyber Liability Insurance Policy, which covers costs associated with data breaches, including lost income due to a cyberattack. By doing so, companies can avoid the business, financial, and reputational risks posed if they fall prey to a cyberattack.
*Matter of Cetera Advisor Networks LLC et. al., SEC 1940 Act Release No. 5834 [Aug. 30, 2021]; Matter of Cambridge Investment Research, Inc. et. al., SEC 1940 Act Release No. 5839 [Aug. 30, 2021]; Matter of KMS Financial Services, Inc., SEC 1940 Release Act No. 5840 [Aug. 30, 2021]).
**The Safeguards Rule requires registered broker-dealers and investment companies to adopt written policies and procedures reasonably designed to “(1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial hardship or inconvenience to any customer.”
*****See Stay Safe From Cybersecurity Threats
Thank you to second year associate, James Maguire in the Firm’s Uniondale office, for his research assistance related to today’s blog.