Saturday, February 20, 2016

Securities Law: Cyber Security – Under the Microscope of Regulators

By Matthew Schwart

        No industry is immune from cyber-attack by sophisticated computer hackers looking to take advantage of weak firewalls and system controls. We regularly read headlines about large companies (i.e., Sony Pictures, Staples, The Home Depot), that suffer a breach that reveals their customers’ non-public, personally identifiable information. In June 2015, the Federal Office of Personnel Management’s computer systems were breached, exposing 21.5 million federal employees’ non-public, personally identifiable information. These breaches lead to rampant fraud and identity theft, which cost these companies, and the government, hundreds of thousands of dollars. Ponemon Institute Research Report, 2015 Cost of Data Breach Study: Impact of Business Continuity Management (June 2015).

         The vast majority of Americans who own securities hold them at broker-dealers or registered investment advisors (RIAs). These financial institutions are required to have policies and procedures in place to ensure compliance with securities rules and regulations. More specifically, Rule 30(a) of Regulation S-P under the Securities Act of 1933 requires broker-dealers and SEC RIAs to adopt written policies and procedures reasonably designed to protect client records and information and to ensure the security and confidentiality of these records. 17 C.F.R. 248.1, et. seq. The purpose of Regulation S-P is to provide protection for financial and personal customer information held by financial institutions.

        On September 22, 2015, in the first enforcement case of its kind, the SEC entered into a settlement order with R.T. Jones, a St. Louis-based SEC RIA, for its alleged failure to establish cyber-security policies and procedures in advance of a breach. In this enforcement action, the SEC found that R.T. Jones was unable to prevent a data breach that compromised the non-public, personally identifiable information of nearly 100,000 individuals. Id. As part of the settlement, the firm agreed to cease future violations of Regulation S-P, to appoint an information security manager, adopt written security policies, and pay a $75,000 fine. Id. 

        Securities regulators have made it clear that cyber security, in the context of customer protection, is one of their highest regulatory priorities.  The R.T. Jones enforcement action signals a shift in regulatory attention to this previously overlooked and under-examined issue. As we can anticipate increased cyber-attacks across all industries, we can anticipate increased regulatory attention from securities regulators in this space. From a consumer standpoint, you should inquire with your broker-dealer and RIA to see what policies and procedures they have in place to ensure your personal information is not vulnerable to risks associated with cyber-attacks.