As predicted in our Connect on Tech discussion in March, the U.S. Securities and Exchange Commission (“SEC”) is ramping up its examination and enforcement focus on cybersecurity at financial institutions, including scrutiny on actual implementation and deployment of published procedures in response to discovery of cyber breach incidents. Furthermore, the SEC appears to signal its expectation that multi-factor authentication (“MFA”) for email accounts containing sensitive client and customer information should be in place.
Email Account Takeovers Resulting in Exposure of PII
On August 30, 2021, the SEC announced three settled enforcement actions for alleged failures in cybersecurity policies and procedures, linking these alleged failures to email account takeovers exposing the personally identifying information (“PII”) of thousands of customers and clients. Two of the firms have both investment adviser and broker-dealer affiliates, while the third firm is a dual registrant. In all three matters, the SEC alleged cloud-based email accounts of personnel were taken over by unauthorized third parties and resulted in the compromise of client PII.
The conduct alleged included failure to adopt or fully implement effective written policies and procedures, with the result that: in one case, breach notifications included misleading language suggesting that the incident was discovered sooner than was actually the fact; in another, the firm failed to enhance its processes after learning of the first email account takeover, resulting in the exposure and potential exposure of additional PII; and, similarly, in the third matter, the failure to act promptly by adopting effective policies and security procedures resulted in a much wider-ranging security breach.
The SEC found that all three firms violated Rule 30(a) of Regulation S-P, known as the Safeguards Rule, which is designed to protect confidential customer information. The SEC also found that two investment adviser affiliates at one of the firms had inadequate compliance procedures in violation of Section 206(4) of the Advisers Act and Rule 206(4)-7 in connection with breach notification to clients. The SEC fined the firms between USD 200,000 to USD 300,000 after taking into consideration remedial measures.
Takeaways from SEC’s Enforcement Actions
- Cybersecurity policies must be fully implemented and followed. Just having written policies and procedures are not enough. The SEC criticized one of the firms for failing to actually follow existing policies that the SEC otherwise found to be sufficient. Firms should review and operationally confirm that their actual practices are consistent with their written cybersecurity policies. Periodic training and awareness initiatives will also help personnel consistently follow firm written cybersecurity policies.
- Timeliness matters in response to cybersecurity incidents. To demonstrate a firm’s reasonable response, consider consulting with outside counsel with expertise on best industry practices to address security incidents.
- Deploy MFA for Firm Email Accounts. The SEC did not specifically say that Regulation S-P requires MFA in all cases, but made clear its expectations that firms should have MFA in place (particularly once aware of the email account takeovers), as it is a reasonable approach to thwart phishing, credential stuffing, and other modes of attack. Firms should take steps to assess MFA requirements to protect sensitive client and customer information.
- Ensure That Statements on Cybersecurity Incidents are Accurate. The SEC faulted one firm for inadequate compliance in connection with inaccurate statements as to when the firm actually discovered the incidents.