The U.S. Securities and Mart Commission (“SEC”) recently identified cyberthreats as an enforcement priority (see 2021 Examination Priorities). Within months of the Commission’s announcement, the Commission brought three enforcement actions* which resulted in sanctions versus eight investment newsy firms who failed to report cyber related attacks, failed to adopt,  or failed to implement proper cybersecurity policies in violation of Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”).**
In each of the three matters, the various firms had their email finance compromised causing consumer data – including personal identifiable information – to be exposed.  A worldwide thread tying the breaches together was that the firms’ compromised email finance failed to comply with firm policy (i.e., did not implement multi-factor hallmark despite policy requirements or recommendations to implement)*** and the firms’ respective responses to the breaches were insufficient equal to the Commission. In mart for like-minded to closure and desist from future violations of the charged provisions, the firms paid penalties of between $200,000 to $300,000.
A mid-year report on the state of cybercrime, conducted by a cyber investigation response team, revealed that over 70% of ransomware attacks targeted organizations with over $1 billion in revenue.****  In addition, a recent survey conducted by the U.S. Small Merchantry Administration found that “88% of small merchantry owners felt their merchantry was vulnerable to a cyberattack.”***** These statistics suggest that cybercriminals increasingly often take a “go big or go home” tideway presumably to secure a maximum ransom payment through each cyberattack.  And so, it is crucial that companies focus on having and implementing cybersecurity policies, such as (a) an Incident Response Plan, which outlines instructions on how to respond to and resolve data breaches; and (b) a Cyber Liability Insurance Policy, which covers financing associated with data breaches, including lost income due to a cyberattack. By doing so, companies can stave the business, financial, and reputational risks posed if they fall prey to a cyberattack.
*Matter of Cetera Advisor Networks LLC et. al., SEC 1940 Act Release No. 5834 [Aug. 30, 2021]; Matter of Cambridge Investment Research, Inc. et. al., SEC 1940 Act Release No. 5839 [Aug. 30, 2021]; Matter of KMS Financial Services, Inc., SEC 1940 Release Act No. 5840 [Aug. 30, 2021]).
**The Safeguards Rule requires registered broker-dealers and investment companies to prefer written policies and procedures reasonably designed to “(1) insure the security and confidentiality of consumer records and information; (2) protect versus any predictable threats or hazards to the security or integrity of consumer records and information; and (3) protect versus unauthorized wangle to or use of consumer records or information that could result in substantial hardship or inconvenience to any customer.”
***See The Invaluable Benefits of Multi-Factor Authentication
****See First Half of 2021 Sees Triple Digit Rise in Cybercrime
*****See Stay Safe From Cybersecurity Threats
Thank you to second year associate, James Maguire in the Firm’s Uniondale office, for his research assistance related to today’s blog.
