October 5, 2022

Volume XII, Number 278


October 04, 2022

Subscribe to Latest Legal News and Analysis

October 03, 2022

Subscribe to Latest Legal News and Analysis

SEC Charges Broker-Dealer/Adviser With Inadequate Cybersecurity Procedures

On September 26, the Securities and Exchange Commission (SEC) charged a dually registered broker-dealer and investment adviser (the "Registrant") with deficient cybersecurity procedures. This is the first SEC action alleging violations of the Identity Theft Red Flags Rule and provides important guidance on the SEC's expectations relating to cybersecurity procedures.

The Relevant Rules That Were Allegedly Violated

Two SEC rules applicable to broker-dealers and investment advisers were allegedly violated, the Safeguards Rule (Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) and the Identity Theft Red Flags Rule (Rule 201 of Regulation S-ID (17 C.F.R. § 248.201)).

The Safeguards Rule requires every registered broker-dealer and every registered investment adviser to adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information. Those policies and procedures must be reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

The Identity Theft Red Flags Rule requires certain financial institutions and creditors, including broker-dealers and investment advisers registered or required to be registered, to develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent and mitigate identity theft1 in connection with the opening of a covered account2 or any existing covered account. An Identity Theft Prevention Program must include reasonable policies and procedures that are intended to: (1) identify relevant red flags for the covered accounts and incorporate them into the Identity Theft Prevention Program; (2) detect the red flags that have been incorporated into the Identity Theft Prevention Program; (3) respond appropriately to any red flags that are detected pursuant to the Identity Theft Prevention Program; and (4) ensure that the Identity Theft Prevention Program is updated periodically to reflect changes in risks to customers from identity theft.

The Alleged Facts

The Registrant outsourced its cybersecurity functions to its parent company, which in turn relied heavily upon independent contractors to support those efforts. These independent contractors had access to a portal through which they could obtain personally identifiable information about the Registrant's customers.

Over six days in April 2016, persons impersonating personnel of those independent contractors called the Registrant's technical support line requesting that three of their passwords be reset. In two cases, the calls were placed from numbers identified with prior fraudulent activity, including efforts to impersonate independent contractors. In spite of these red flags, the callers allegedly were provided with new passwords over the phone, and in two cases also were provided with the representative's user name.

Three hours after these calls, an independent contractor notified the Registrant that an email had been sent confirming a request for a password change when no such request had been made. Over the next several days, although the Registrant took some steps to respond to the red flags, the Registrant did not promptly block access from the user names and passwords involved. Improper access allegedly was given to the account information for more than 5,600 customers; one customer's documents were accessed. There were no known unauthorized transfers of any customer funds or securities from the impacted customer accounts.

After the intrusion, the Registrant blocked the malicious email addresses, revised its policies and procedures relating to changing passwords over the telephone, notified the impacted customers, offered them free one-year credit monitoring, and named a new chief information security officer.

Alleged Defects in the Registrant's Policies and Procedures

The SEC alleged the following defects in the Registrant's policies and procedures relating to the Safeguards Rule:

[The Registrant's] policies and procedures with respect to resetting [the Registrant's] contractor representatives' passwords, terminating web sessions in its proprietary gateway system for [the Registrant] contractor representatives, identifying higher-risk representatives and customer accounts for additional security measures, and creation and alteration of [the Registrant's] customer profiles, were not reasonably designed. In addition, a number of [the Registrant's] cybersecurity policies and procedures were not reasonably designed to be applied to its contractor representatives.

The SEC also alleged the following defects in the Registrant's policies and procedures relating to the Identity Theft Red Flags Rule:

[The Registrant] did not review and update the Identity Theft Prevention Program in response to changes in risks to its customers or provide adequate training to its employees. In addition, the Identity Theft Prevention Program did not include reasonable policies and procedures to respond to identity theft red flags, such as those that were detected by [the Registrant] during the April 2016 intrusion.

Remedies Imposed

The Registrant was required to retain an independent compliance consultant to review its relevant procedures and to adopt the consultant's recommendations. The Registrant also was fined $1 million.

Key Lessons

Three key lessons can be learned from this enforcement action:

First, although it may already have been obvious from prior SEC pronouncements, this action re-emphasizes how seriously the SEC treats firms' obligations relating to cybersecurity procedures. This is highlighted by the fact that the dual registrant was fined $1 million even though there was no apparent investor harm resulting from the cyberattack.

Second, this action highlights the special risks posed by reliance on independent contractors. While such reliance is entirely legal, these non-employees pose particular risks that should be addressed both contractually and operationally.

Third, the failure to identify and respond promptly to red flags may potentially create significant regulatory risks for a registrant, in addition to the reputational and liability risks from the firm's customers. The SEC appears to have been concerned that calls from numbers identified with fraudulent conduct should not have been responded to and that when warnings that a hack may have occurred began to surface, access from the suspicious addresses should have been blocked in a timely manner. The SEC expects recognition of, and appropriate and prompt responses to, red flags. Also of note, the Commodity Futures Trading Commission (CFTC) requires futures commission merchants, introducing brokers, commodity trading advisers, commodity pool operators, and certain other registrants to comply with its version of the Theft Red Flags Rule.

1 The rule defines "identity theft" as a fraud committed or attempted using the identifying information of another person without authority.

2 The rule defines a "covered account" to include an account that a broker-dealer or investment adviser offers or maintains, primarily for personal, family or household purposes that involves or is designed to permit multiple payments or transactions, such as a brokerage account with a broker-dealer.

©2022 Katten Muchin Rosenman LLPNational Law Review, Volume VIII, Number 284

About this Author

David Y. Dickstein, Financial Services Lawyer, Katten muchin law firm

David Dickstein represents broker-dealers, investment advisers, investment companies and hedge funds in connection with a variety of regulatory, compliance and operational matters. David regularly counsels investment advisers on registration and regulatory matters, such as the need for registration, conflict of interest disclosures, soft dollars and best execution, firm advertising and marketing, federal and state pay-to-play matters, trade allocations and personal trading. He also advises broker-dealers on registration and ongoing compliance matters, mutual fund supermarkets...

Mark Goldstein, Katten Law Firm, New York, Financial Law Attorney
Special Counsel

Mark Goldstein focuses his practice on advising investment advisers, mutual funds and private investment funds. Mark has more than 25 years of experience advising clients on compliance and regulatory requirements, corporate matters, and the federal securities laws. He has extensive experience advising on the formation, distribution, structuring and on-going operational aspects of a wide array of investment products, including mutual funds, private investment funds, offshore funds, funds offered to separate accounts of insurance companies as funding vehicles for variable...

Christian B. Hennion, Finance Attorney, Katten Muchin Law Firm

Christian B. Hennion concentrates his practice in financial services and asset management matters, including counseling fund managers, registered investment advisers and commodity trading advisors on both transactional and regulatory matters. Chris has advised a wide range of US and international managers, from start-ups to large institutions, regarding a variety of matters, including private fund launches and reorganizations, advisory engagements, Investment Advisers Act and Commodity Exchange Act compliance obligations, Securities and Exchange Commission (SEC) and Commodity Futures...

Richard D. Marshall, Katten Muchin, SEC Representation Lawyer, Finance Attorney, New York,

Richard D. Marshall focuses his practice on the representation of financial institutions and employees subjected to investigations by the Securities and Exchange Commission, Department of Justice, Financial Industry Regulatory Authority and state securities regulators. Rick also counsels broker-dealers, investment companies and investment advisers on regulatory issues, particularly relating to SEC and FINRA regulations. He also frequently counsels clients on compliance and risk management issues and the handling of inspections.

Rick provides...