A week after OCIE announced it would conduct a second round of cyber-security exams, the Commission emphasized the issue by bringing an enforcement action against a non-custodial investment-adviser over a remediated data breach that caused no customer harm. The adviser used a third-party-hosted web server, on which was stored the personally-identifiable information ("PII") of about 100,000 people, including the firm's 8,400 customers. The server suffered a cyber-attack and data breach in July 2013. The firm responded by retaining multiple consultants, investigating the breach, sending breach notices and offering free identity-theft services. Although there was no ascertainable customer harm, the SEC cited the firm's failures as including: a lack of written cyber-security supervisory and compliance procedures, no periodic risk-assessments, no firewall, no data-encryption, and no incident response plan. The Commission held the firm violated the "Safeguards Rule" of Reg. S-P, 17 C.F.R. § 248.30(a), which require advisers to (1) ensure the confidentiality and security of customer information, (2) protect against reasonably anticipated threats to that data, and (3) protect against unauthorized access, including adopting written policies and procedures. The settled action imposed a censure and a $75,000 fine. OCIE's announcement of a second-round of cyber-security examinations, together with an outline of key concerns and sample exam questions is discussed here
. The announcement also comes on the heels of an industry-wide cyber-security "war game" conducted by the Securities Industry and Financial Markets Association ("SIFMA"). On September 16, SIFMA conducted Quantum Dawn 3 - it's third in a series of cyber-security exercises, bringing together key industry and government participants to practice responding to serious attacks on the nation's financial infrastructure. Quantum Dawn 3 involved over 650 participants from 80 institutions in a closed-loop simulation of a multi-day rolling series of attacks on US markets. More information is here
. The OIP, In Matter of R.T. Jones Capital Equities Mgt., Inc.,
IA Rel. No. 4204, AP File No. 3-16827 (Sept. 22, 2015), is here
. Thomas K. Potter, III
(firstname.lastname@example.org) is a partner in the Securities Litigation Practice Group at Burr & Forman, LLP. Tom is licensed in Tennessee, Texas and Louisiana. He has over 29 years' experience representing financial institutions in litigation, regulatory and compliance matters. See attorney profile.
© 2015 by Thomas K. Potter, III (all rights reserved).