To buttress the SEC’s initiative to assess cybersecurity preparedness in its risk alert discussed here previously , the SEC also has the power to bring enforcement actions against registered entities that fail to meet cybersecurity requisites. Specifically, the SEC may bring an enforcement action against registered entities that violate the safeguards rule of Regulation S-P (17 CFR § 248.30(a)) (commonly referred to as the “Safeguards Rule”).
Under the Safeguards Rule, all registered entities must have written policies and procedures “designed to:
(a) Insure the security and confidentiality of customer records and information;
(b) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
(c) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.”
While in the past, the SEC has not brought many enforcement actions for violations of the Safeguards Rule, increased examinations in this area may change things. One such action was brought in 2008 against a registered broker-dealer premised upon deficiencies in password complexity and session inactivity parameters. These deficiencies resulted in hackers placing unauthorized trades in customer accounts. While the broker-dealer promptly reversed or eliminated the trading positions and compensated the customers for the trading losses of approximately $98,900, the SEC still censured the broker-dealer, fined the broker-dealer $275,000, and required the broker-dealer to engage at its own expense an independent consultant. The independent consultant was required to review the broker-dealer’s policies and procedures and issue a report of recommendations, which the broker-dealer would then need to implement.
In light of the SEC’s power to enforce the Safeguards Rule, registered entities would be well advised to ensure that its responses to the Risk Alert sample information requests prove satisfactory.