An adviser stored sensitive, personally identified information (PII) of clients and others on its third-party-hosted web server from 2009 to 2013. The web server was attacked in July 2013 by an unknown hacker who gained access and copy rights to the data on the server rendering thousands of clients and others vulnerable to theft. After the firm discovered the breach, it promptly retained more than one cybersecurity firm to confirm the attack and determine the scope. Shortly after the incident, the firm provided notice of the breach to every individual whose information may have been compromised and offered free identity theft monitoring through a third-party provider. To date, the firm has not received any indications of a client suffering financial harm as a result of the cyber attack.
The firm failed to adopt written policies and procedures reasonably designed to safeguard its clients’ PII. For example, the firm failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents. The SEC’s order finds that the firm violated Rule 30(a) of Regulation S-P under the Securities Act of 1933. The firm agreed to cease and desist from committing or causing any future violations of Rule 30(a) of Regulation S-P, agreed to be censured and pay a $75,000 penalty. In the press release, Marshall S. Spring, Co-Chief of the SEC Enforcement Divisions’ Asset Management Unit stated “As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients. Firms must adopt written policies to protect their clients’ private information, and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”