SEC Sanctions Investment Firm for Inadequate Cybersecurity and Identity Theft Prevention Policies

Sabastian V. Niles is partner, Marshall L. Miller is of counsel, and Jeohn Salone Favors is an associate at Wachtell, Lipton, Rosen & Katz. This post is based on their Wachtell Lipton memorandum.

[On September 26, 2018], the Securities and Exchange Commission announced that it had settled charges against an Iowa-based broker-dealer and investment adviser stemming from an April 2016 data breach that compromised at least 5,600 customer accounts. The SEC’s cease-and-desist order charges that the firm had deficient cybersecurity and identity theft prevention programs, in violation of the SEC’s Safeguards Rule (Reg S-P) and Identity Theft Red Flags Rule (Reg S-ID), which require registered investment advisers and broker-dealers to adopt reasonably designed policies to protect customer information and detect, prevent, and mitigate identity theft. Although the SEC has previously enforced the Safeguards Rule (see our June 2016 memo), this is the SEC’s first enforcement action involving the Identify Theft Red Flags Rule. The SEC viewed positively post-breach remedial actions taken by the company, and the matter was settled for a $1 million penalty and retention of an independent compliance consultant.

The data breach occurred when malicious actors, posing as contractors to the company, convinced technical support staff to reset passwords and provide them with temporary network credentials. The malicious actors then used the contractor credentials to penetrate the company’s network and access confidential and sensitive customer data. The investigation identified what the SEC found to be flaws in the company’s cybersecurity program, including not only its policies for identifying intrusions and protecting data, but also its post-incident policies for responding to a breach and mitigating identity theft. The SEC also found inadequate management of third-party cybersecurity risks, including by failing to apply key cybersecurity policies to contractors with access to company networks.

This SEC action highlights the importance of conducting regular reviews of cybersecurity and incident response protocols, assessing whether policies are in fact being followed, and ensuring proper training. As previously discussed, the National Institute of Standards and Technology’s updated Cybersecurity Framework provides guidance on integrating third-party risk considerations into cybersecurity risk oversight, and the SEC’s action underscores the regulatory focus on risks associated with third parties who have access to a company’s networks.

Both comments and trackbacks are currently closed.