SEC Actions Target Advisers, Broker-Dealers for Cyber Failures

The SEC recently sanctioned eight firms in three actions for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm. The SEC’s orders against each of the firms found that they violated the Safeguards Rule, which is designed to protect confidential customer information. In an analysis of the SEC’s action, law firm Simpson Thacher commented that each of the firms experienced compromises of its email accounts (many of which were maintained on cloud-based systems) that arose from alleged failures or lapses in their cybersecurity policies and procedures. Without admitting or denying the SEC's findings, each firm agreed to cease and desist from future violations of the charged provisions, to be censured and to pay a penalty. The Simpson Thacher client alert offered key takeaways, including the importance of advisers and broker-dealers ensuring that they are regularly reviewing (and testing) their cybersecurity policies and procedures with input from internal and external IT and cybersecurity advisors; enforcing existing cyber policies and procedures across the entire firm, even among temporary employees; assessing preparedness for their response to a cyber-attack; and establishing policies on clear, accurate communications to customers affected by cyber incidents.