Our August 2021 blog described three actions taken by the SEC signaling a renewed interest in cybersecurity disclosure enforcement. In keeping with this theme, the SEC announced a number of significant new cybersecurity actions.
On August 30, the SEC disclosed enforcement actions against eight brokerage firms for failing to implement adequate cybersecurity policies and procedures, as required by the SEC’s “Safeguards Rule.” All eight firms agreed to settle with the SEC and will collectively pay hundreds of thousands of dollars in fines. These most recent actions underscore that companies should be mindful of whether their cybersecurity policies and procedures comply with SEC requirements and expectations.
The Safeguards Rule
All of the enforcement actions announced on August 30 stem from violations of Rule 30(a) of Regulation S-P, also known as the Safeguards Rule. The SEC’s Safeguards Rule requires registered broker-dealers, investment companies, and investment advisers to adopt written policies and procedures that that are reasonably designed to;
Ensure the security and confidentiality of customer records and information;
protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. 17 C.F.R. § 248.30. Although the Safeguards Rule is not limited to cybersecurity, as the recent enforcement actions demonstrate, covered entities may run afoul of its contours by failing to put proper cybersecurity controls in place.
The Enforcement Actions
The enforcement actions were brought against eight firms comprising three groups:
Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, “Cambridge”);
In each case, the SEC found that the email accounts of certain personnel had been “taken over” by unauthorized third parties. This means that unauthorized users, through phishing efforts or otherwise, were able to obtain access to the email accounts and, consequently, were able to view, send, and forward emails. These takeovers exposed the personally identifiable information of thousands of clients and customers.
The SEC also found that these takeovers could have been prevented if the firms had implemented adequate safeguards, particularly multifactor authentication.
For instance, in the Cambridge case, the SEC found that while Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement a firm-wide multifactor authentication policy until July 2021.
Likewise, in the KMS case, the SEC found that KMS experienced takeovers as early as September 2018, but failed to adopt and implement a firm-wide multifactor authentication policy until August 2020.
Finally, in the Cetera Entities case, the SEC found that the Cetera Entities experienced email takeovers as early as November and December 2017, but failed to fully adopt and implement an adequate multi-factor authentication policy until the end of 2019. Certain of the Cetera Entities were also charged with an Advisers Act violation for sending breach notifications to clients that misleadingly suggested that the incidents had been discovered more recently than they actually had been.
Without admitting or denying the SEC’s findings, the targeted firms all agreed to refrain from further violations and will collectively pay hundreds of thousands of dollars in penalties. Specifically, Cambridge will pay a $250,000 penalty, KMS will pay a $200,000 penalty, and the Cetera Entities will pay a $300,000 penalty.
While these recent enforcement actions were primarily limited to the Safeguards Rule, which applies only to broker-dealers and investment companies, they reflect the broader reality that the SEC is continuing to take cybersecurity seriously and will bring enforcement actions against companies it finds in violation of its regulations. Another highlight is the SEC’s focus on multifactor authentication: the enforcements reflect that the agency views it as a best practice to defend against phishing and attempted email takeovers. With the SEC active in this area, now is the time for all companies subject to SEC regulation to review their cybersecurity policies and procedures—and any public statements about those policies and procedures—to ensure they are in line with SEC expectations.
 One of the actions also implicated violation of Section 206(4) of the Investment Advisers Act of 1940. This provision requires investment advisers to have in place policies and procedures to prevent, among other things, making misleading statements to clients.