In a recent blog post, I noted that the SEC is undertaking another cybersecurity exam priority. If that was not enough to get your attention about your own cybersecurity program, you need not look any further.
The SEC just sanctioned a registered investment advisor for failing to adopt proper cybersecurity policies and procedures prior to sustaining a data breach. In doing so, the SEC fined (and censured) the firm $75,000.00; it sustained a breach and the records of approximately 100,000 individuals were compromised.
Although the firm took proper steps after it realized it sustained the breach, the firm failed in its pre-breach conduct. Specifically, the SEC concluded that the firm failed to entirely adopt written policies and procedures reasonably designed to safeguard customer information. Among other things, firm:
- Failed to conduct periodic risk assessments.
- Failed to implement a firewall.
- Failed to encrypt PII on its server.
- Failed to maintain a response plan for cybersecurity.
Fortunately for the firm, there was no indication of any client suffering financial harm as a result of the breach. If there would have been customer harm, I suspect that the penalty and censure would have been greater.
This case, together with the SEC exam priority and a recent investor alert, should serve as lessons to everyone. The SEC is focused on and acted upon data security issues. Ask yourself, do we have proper plans and procedures to prevent and address any data breaches. If the answer is no, you need to act fast or suffer the repercussions surrounding a data breach.