The SEC Has Announced Charges Against Deficient Cybersecurity Procedures

On this day, August 30, the Securities and Exchange Commission (SEC) has sanctioned multiple firms in three actions for failures in both cybersecurity policies and procedures.

These failures resulted in large data breaches, causing thousands of email account takeovers for clients and customers. These sanctioned firms have agreed to settle the charges.

In one instance, a sanctioned firm between November 2017 and June 2020 had the cloud-based email accounts of its personnel taken over by unauthorized parties. This resulted in the exposure of personal information on a large scale, including thousands of customers and clients.

According to the SEC, this firm did not comply with internal standards consistent with its policies, and thus the affected accounts were not properly protected. Following these breaches, the firm sent misleading breach notifications to clients which suggested that the notifications were issued sooner than the actual discovery of the breaches in question.

Chief of the SEC Enforcement Division’s Cyber Unit Kristina Littman had this to say regarding the responsibilities of these sanctioned firms: “Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information. It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

With these issues in mind, it is important to remember that federal regulation, as well as complying with firm policy to the fullest extent possible is the best way to protect both clients and personnel. This typically means for the adoption of policies that one’s firm can fully implement.

The SEC’s orders against other firms consisted of further unauthorized third-party breaches, resulting in the exposure of thousands of customers’ and clientele’s personal information. One firm, despite discovering an email account takeover in January of 2018, failed to enhance security measures for these cloud-based email accounts until 2021. As such, the potential exposure of additional information is possible.

Another sanctioned firm experienced a cloud-based email account take over which was a result of a failure to adopt written policies and procedures. The order from the SEC regarding this firm states that these measures, if adopted properly, would have consisted of additional firm-wide security that could have helped to prevent breaches of personal information. From May 2020 to August 2020 these measures were not adopted, resulting in a risk of data breaches for additional customers and clients.

These firms targeted by the SEC failed to comply with set standards, and in some cases fraudulently alerted their clients and customers of breaches later than when a breach had occurred. The result was the cloud-based email account takeover of thousands of clients, as well as settlements amounting to $750,000 between the sanctioned firms.

Ultimately, a firm’s written policies should be taken into account alongside federal guidelines in order to ensure the best protection for customers, clientele, and staff. A firm’s failure to abide by its own guidelines, as well as a lack of detailed care and testing placed towards a cybersecurity system can cause data breaches on a large scale.

The experts at Drawbridge understand the nature of cybersecurity systems through years of experience. Our unique, easy-to-track software and regular testing will keep your firm’s data secure. Drawbridge allows for any firm to adopt the right, productive cybersecurity system for them that both meets needs and exceeds expectations.