The SEC Strikes Again

In the last newsletter, we discussed the Securities and Exchange Commission (SEC) and its recent enforcement efforts.   Specifically, how the SEC and the New York Department of Financial Services (DFS) have been pursuing entities for failure to report prior breaches and their focus on adequate policies and procedures.


For example, on August 16, 2021, the SEC announced that Pearson plc (“Pearson”) – a London based educational publishing and services company – failed to disclose a cybersecurity breach and that it had inadequate disclosure controls and procedures. Moreover, the breach was from a few years ago (2018) and the failure to disclose was viewed by the SEC as misleading investors involving the theft of millions of records.  Therefore, the SEC cited a civil penalty of $1 million.


It appears the SEC is aggressively pursuing entities along the same lines.  Just a few weeks after Pearson, the SEC announced another $750,000 in fines against a number of entities, including Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. See Link


Specifically, The SEC cited the Safeguards Rule which requires every investment advisor and broker-dealer to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information against cybersecurity attacks or other unauthorized access.


According to the SEC, between January 2018 and July 2021, email accounts of Cambridge were accessed by unauthorized third parties, resulting in exposure of thousands of Cambridge customers and clients.  Most importantly, the SEC found that the first email breach was in January 2018 and for the following three years, until 2021, Cambridge failed to adopt and implement firm-wide enhanced security measures for its email accounts.   To add emphasis and explain exactly what the SEC is targeting, Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit, stated that “Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information.  It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”


The landscape is clear.  The SEC enforcement  actions, along with the prior discussed DFS enforcement actions, demonstrate that words are not enough.  Adequate controls and procedures must be put into place to protect customer information or an entity can be subject to significant penalties.