Written by: Les Abromovitz, Senior Director
On August 30, 2021, the SEC announced the resolution of enforcement actions against three firms and their affiliates. The enforcement actions were triggered by the firms’ compliance failures relating to their cybersecurity policies and procedures, which resulted in email account takeovers that exposed the personal information of thousands of customers and clients.
When there is an email account takeover, an unauthorized third-party gains access to the account and is able to view its contents. In addition, an unauthorized third party is able to take the same actions as a legitimate user, such as sending and deleting emails or setting up forwarding rules.
In these three enforcement actions, the SEC alleged that each of the firms violated Rule 30(a) of Regulation S-P, otherwise known as the Safeguards Rule. The rule is designed to protect customers’ confidential information and records. All of the parties in these enforcement actions are broker-dealers, Registered Investment Advisors (“RIAs”), or both. All of the firms agreed to settle the charges against them.
The Safeguards Rule requires every investment advisor and broker-dealer registered with the SEC to adopt written policies and procedures that are reasonably designed to:
- ensure the security and confidentiality of customers’ records and information;
- protect against any anticipated threats or hazards to the integrity or security of customers’ records and information; and
- protect against unauthorized access to or use of customers’ records or information that might result in substantial harm or inconvenience to any of them.
An RIA or broker-dealer violates the Safeguards Rule if its policies and procedures intended to protect clients’ and customers’ information are not reasonably designed to meet those objectives. Policies and procedures must also be reasonably designed to prevent and respond to cybersecurity incidents.
Without admitting or denying the SEC’s findings, each firm agreed to cease and desist from future violations of the charged provisions. They also agreed to be censured and pay a penalty. The SEC’s press release regarding the enforcement actions can be found here.
Enforcement action #1
The first enforcement action involved a financial services firm’s five entities. Three of those entities were dually-registered. The other two entities were a broker-dealer and an RIA.
According to the SEC’s order against the first firm, the cloud-based email accounts of over sixty firm personnel were taken over by unauthorized third parties, which resulted in the exposure of personally identifiable information (“PII”) of at least 4,388 customers and clients. The term, “exposure of PII,” means that an unauthorized third party has the ability to view the information. The information is deemed to be exposed, even if it has not been viewed by an unauthorized third party.
The accounts were taken over through phishing, credential stuffing, or other attack methods. Although the email account takeovers did not appear to have resulted in any unauthorized trades or transfers in advisory or brokerage accounts, the entities violated the Safeguards Rule because their policies and procedures were not reasonably designed to ensure compliance. Specifically, these policies and procedures were deficient in relation to independent contractor representatives and offshore contractors.
This particular enforcement action alleged that the entities failed to implement cybersecurity policies and tools, such as multi-factor authentication. The entities possessed a significant number of security tools that would have allowed them to implement controls to mitigate risks. The entities failed to use those tools in a manner tailored to their business, thus exposing the PII of their clients and customers to unreasonable risks.
In addition to their Safeguards Rule violations, the RIAs involved in this enforcement action were accused of violating Section 206(4) of the Investment Advisers Act of 1940 and Rule 206(4)-7 thereunder. The SEC alleged that the RIAs failed to adopt and implement reasonably designed policies and procedures governing the review of communications to advisory clients. This failure led to the RIAs sending breach notifications to the firms’ clients that contained misleading template language.
The RIAs had engaged outside counsel to prepare and deliver the client notifications. The SEC found that while most breach notifications from outside counsel were accurate, letters sent in 2018 and 2019 to approximately 220 advisory clients were misleading. The letters included template language regarding the timing of the incidents and referred to them as “recent.” The letters also stated that representatives only recently learned about the unauthorized access two months before the breach notification. In fact, each entity had learned of the underlying breach at least six months earlier. This language in the breach notifications created a misleading impression that the incidents had occurred much more recently than was actually the case. Because customers and clients received delayed notice about when the breach occurred, they were not on the lookout for potential misuse of their PII.
When the letters were sent, the RIAs’ policies and procedures for responding to cybersecurity events required advisory personnel to review client communications regarding these incidents before they were sent. The SEC concluded that the advisors failed to implement reasonably designed policies and procedures because their client communications review was conducted in a way that failed to correct template language that was misleading under the circumstances.
Because of these compliance failures, the SEC assessed a civil money penalty of $300,000 against the firm’s entities. The enforcement action is located here.
Enforcement action #2
The second SEC enforcement action arose from a broker-dealer and RIA’s failure to adopt written policies and procedures that were reasonably designed to protect customer and client records and information. The SEC alleged that the Iowa-based broker-dealer and RIA violated the Safeguards Rule. According to the SEC’s order, the broker-dealer and the RIA’s violations of the Safeguards Rule allowed the cloud-based email accounts of over 121 firm representatives to be taken over by unauthorized third parties, which exposed the PII of at least 2,177 customers and clients. The SEC determined that although the initial email account takeover was discovered in January 2018, the broker-dealer and the RIA failed to adopt and implement firm-wide enhanced security measures for representatives’ cloud-based email accounts until 2021. This failure resulted in the potential exposure of additional customer and client records and information.
As was the case with the first enforcement action, the RIA and broker-dealer failed to utilize multi-factor authentication as a security measure. Furthermore, they compounded their mistakes by failing to take quick action to guard against future intrusions and misuse of PII.
The RIA and broker-dealer agreed to pay a $250,000 penalty. The enforcement action is available here.
Enforcement action #3
According to the SEC’s order against a dually registered broker-dealer and investment advisory firm based in Seattle, the cloud-based email accounts of fifteen financial advisors or their assistants were taken over by unauthorized third parties. The email account takeover resulted in PII exposure of about 4,900 customers and clients.
When the email account takeovers were discovered, the firm reset the impacted financial advisors’ email passwords, removed forwarding rules, and enabled multi-factor authentication. Nevertheless, additional security measures were not implemented firm-wide until August 2020, roughly 21 months after the breach was discovered. By not implementing additional security measures in a timely manner, the firm further exposed the information and records of customers and clients.
These email account takeovers exposed PII that falls within the scope of Regulation S-P. Some customers and clients received phishing emails that requested them to:
- Wire funds to a bank account;
- Enter PII, such as a driver’s license number or Social Security number, to access a document; or
- Click on a link to view an investment recommendation, which would grant access to the customers’ and clients’ computers.
The firm was ordered to pay a $200,000 penalty. The action can be reviewed here.
Firms must design and fully implement robust cybersecurity policies and procedures in order to protect clients’ and customers’ information, records, and privacy. Firms can help to guard against cyber-attacks by requiring cybersecurity tools, such as multi-factor authentication, for all customer and client accounts. As Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit warned, “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
When a breach occurs, broker-dealers and RIAs must inform their customers and clients promptly and must not minimize the severity of the occurrence. By doing so, customers and clients can guard against the risk of potential misuse of their PII. Policies and procedures should spell out how this notification will occur. In addition, policies and procedures should be designed to ensure compliance with Regulation S-P and to reinforce firms’ duty to preserve clients’ privacy.