On September 22, 2015, the Securities and Exchange Commission (SEC) announced the settlement of an enforcement action against a St. Louis-based registered investment adviser brought under Rule 30(a) of Regulation S-P (Safeguards Rule). The SEC Order charged the adviser with violating the Safeguards Rule by failing to adopt written cybersecurity policies and procedures reasonably designed to protect customer records and information.
The Safeguards Rule, adopted by the SEC in 2000 and subsequently amended in 2005, requires every SEC-registered investment adviser (among other SEC registrants) to adopt written policies and procedures addressing administrative, technical and physical safeguards.
According to the SEC Order, from at least September 2009 through July 2013, the adviser, which did not have custody of client assets, stored sensitive personally identifiable information (PII) of its clients and other persons on its third party-hosted web server without adopting written policies and procedures regarding the security, confidentiality and protection of such PII from anticipated threats or unauthorized access.
This enforcement action highlights the SEC’s continued focus on cybersecurity, one of the SEC’s Office of Compliance and Inspections and Examination’s examination priorities for 2015, as well as the SEC’s willingness to bring an enforcement action against a registered investment adviser, despite there being no apparent financial harm to such adviser’s clients. Concurrent with the announcement of this enforcement action, the SEC’s Office of Investor Education and Advocacy issued an Investor Alert setting forth important steps to take if an investor becomes a victim of identity theft or a data breach.