On September 22, 2015 the SEC charged a St. Louis-based investment adviser with failing to establish proper policies and procedures to safeguard personally identifiable information in advance of a breach. The Firm utilized a web server to house its client data, which was hacked into from China back in 2013. The Firm was cited for not having periodic risk assessments, not implementing firewalls, and not encrypting the personal information on the web server and not maintaining a response plan for cybersecurity incidents. This case demonstrates the seriousness of the issue, specifically in light of the recent Risk Alert from OCIE on this same topic.
Advisers need to take steps to make certain that controls are in place to protect their Firm and its clients from data breaches. There is no one-size-fits-all cybersecurity model for investment advisers. An assessment must be made on the Firm’s systems and vulnerabilities to hacks and breaches. Then controls must be established (in a written policy) that help to protect the firm from the identified risks. These policies should be reviewed as part of the Firm’s annual compliance review to ensure they are reasonably designed to protect client information and to take into consideration any regulatory and environmental changes.