The U.S. Securities and Exchange Commission’s new chair, Gary Gensler, has already left his mark as a tough regulator, increasing focus on cybersecurity more than his predecessor, Jay Clayton. On August 30, 2021, the Securities and Exchange Commission (SEC) “sanctioned eight firms in three actions for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm.” Additionally, “they violated Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which is designed to protect confidential customer information.” Regulation S-P requires SEC registered investment advisers (and other firms such as broker-dealers and investment companies) to maintain policies and procedures reasonably designed to "(1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer."
The three actions taken against each firm consisted of a cease and desist, a censure, and penalties ranging from $200,000 to $300,000. The rise in SEC enforcement actions demonstrates the strict stance the SEC is taking on cybersecurity, and that there is little tolerance for failure to adopt and implement specific disclosure controls and procedures related to cyber incidents.
If you are regulated by the SEC, you must closely adhere to Regulation S-P and follow the SEC’s guidance on disclosure of cybersecurity risks and incidents.
For more information, here is the full SEC Press Release.
Coast to Coast Compliance is here to help you develop or otherwise review your existing cybersecurity policies and procedures, to ensure that they are tailored to your organization.