September 25, 2015

SEC Shows It’s Serious About Cyber Security

Burr & Forman

+ Follow Contact

Send

Embed

A week after OCIE announced it would conduct a second round of cyber-security exams, the Commission emphasized the issue by bringing an enforcement action against a non-custodial investment-adviser over a remediated data breach that caused no customer harm.

The adviser used a third-party-hosted web server, on which was stored the personally-identifiable information (“PII”) of about 100,000 people, including the firm’s 8,400 customers. The server suffered a cyber-attack and data breach in July 2013. The firm responded by retaining multiple consultants, investigating the breach, sending breach notices and offering free identity-theft services.

Although there was no ascertainable customer harm, the SEC cited the firm’s failures as including: a lack of written cyber-security supervisory and compliance procedures, no periodic risk-assessments, no firewall, no data-encryption, and no incident response plan.

The Commission held the firm violated the “Safeguards Rule” of Reg. S-P, 17 C.F.R. § 248.30(a), which require advisers to (1) ensure the confidentiality and security of customer information, (2) protect against reasonably anticipated threats to that data, and (3) protect against unauthorized access, including adopting written policies and procedures. The settled action imposed a censure and a $75,000 fine.

OCIE’s announcement of a second-round of cyber-security examinations, together with an outline of key concerns and sample exam questions is discussed here.

The announcement also comes on the heels of an industry-wide cyber-security “war game” conducted by the Securities Industry and Financial Markets Association (“SIFMA”). On September 16, SIFMA conducted Quantum Dawn 3 – it’s third in a series of cyber-security exercises, bringing together key industry and government participants to practice responding to serious attacks on the nation’s financial infrastructure. Quantum Dawn 3 involved over 650 participants from 80 institutions in a closed-loop simulation of a multi-day rolling series of attacks on US markets. More information is here.

The OIP, In Matter of R.T. Jones Capital Equities Mgt., Inc., IA Rel. No. 4204, AP File No. 3-16827 (Sept. 22, 2015), is here.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Burr & Forman

Contact + Follow

Thomas Potter, III

+ Follow

less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Increased visibility
Actionable analytics
Ongoing guidance

Learn More

Published In:

Breach Notification Rule

+ Follow

Cyber Attacks

+ Follow

Cyber Crimes

+ Follow

Cybersecurity

+ Follow

Data Breach

+ Follow

Data Protection

+ Follow

Data Security

+ Follow

Enforcement Actions

+ Follow

Financial Institutions

+ Follow

Free Identity Theft Protection

+ Follow

Hackers

+ Follow

Investment Adviser

+ Follow

OCIE

+ Follow

Personally Identifiable Information

+ Follow

Popular

+ Follow

Securities and Exchange Commission (SEC)

+ Follow

SIFMA

+ Follow

General Business

+ Follow

Finance & Banking

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

Securities

+ Follow

less

Burr & Forman on:

SEC Shows It’s Serious About Cyber Security

Related Posts

Latest Posts

Written by:

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Published In:

Burr & Forman on:

"My best business intelligence, in one easy email…"