On September 26, 2018, the Securities and Exchange Commission (“SEC”) entered into a settlement order1 with a registered investment adviser and broker-dealer (“Adviser”) over alleged weaknesses in the Adviser’s cybersecurity procedures in violation of the Safeguards Rule, which requires written policies and procedures reasonably designed to safeguard customer records and information, and the Identity Theft Red Flags Rule, which requires a written identity theft prevention program designed to detect, prevent and mitigate identity theft in connection with covered accounts.2 This is the first SEC enforcement action for violations of the Identity Theft Red Flags Rule. According to the consent order:
- The Adviser maintained a proprietary web portal through which independent contractor representatives could access confidential client information (i.e., personally identifiable information or “PII”) and manage client accounts. A third party called the Adviser’s technical support line impersonating certain independent contractors and was able to gain access to the PII of 5,600 customers, including their addresses, dates of birth, Social Security numbers and email addresses.
- Following the intrusion, the Adviser allegedly failed to heed directives aimed at curbing future attacks, block the IP addresses at issue and freeze the compromised accounts. Adviser testing was narrowly focused on password resets during a limited period of time and failed to account for the full scope of compromised accounts.
- While the Adviser had implemented written cybersecurity policies and applied those policies to their independent contractor representatives working at remote offices, and while no unauthorized transfers of funds or securities from the Adviser’s customer accounts are known to have occurred as a result of the attack, the SEC alleged that the Adviser’s policies were not reasonably designed for the systems used by the Adviser’s contractors because, among other things, they failed to prohibit support staff from sharing passwords or usernames by phone or to require support staff to reference the list of phone numbers already associated with fraudulent activity.
As part of the settlement, the SEC censured the Adviser and required the Adviser to pay a $1,000,000 civil monetary penalty. The Adviser also agreed to retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule, Identity Theft Red Flags Rule and related regulations.3
In light of the SEC’s continued focus on cybersecurity and this settlement, private fund sponsors should continue to review and refine their cybersecurity policies and procedures to tailor them to the advisers’ business and to address risks and weaknesses discovered on an ongoing basis.
2. The SEC alleged that such weaknesses violated the Safeguards Rule under Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”) and the Identity Theft Red Flags Rule under Regulation S-ID (17 C.F.R. § 248.201) (the “Identity Theft Red Flags Rule”). “Covered Accounts” under the Identity Theft Rule includes investment adviser or broker-dealer accounts offered or maintained primarily for personal, family or household purposes and which involve or permit multiple payments or transactions.↩
3. In deciding to accept the settlement, the SEC noted that it considered certain remedial efforts undertaken by the Adviser, including (i) the appointment of a Chief Information Security Officer responsible for maintaining cybersecurity policies and procedures and an incident response plan tailored to the Adviser’s business, (ii) ultimately blocking the malicious IP addresses, (iii) revising its user authentication policy to prohibit provision of a temporary password by phone, (iv) issuing breach notices to the affected customers describing the intrusion and offering one year of free credit monitoring and (v) implementing an effective multifactor authentication requirement for certain account password changes.↩
This publication is distributed with the understanding that the author, publisher and distributor of this publication and/or any linked publication are not rendering legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.
© 2018 KIRKLAND & ELLIS LLP. All rights reserved.