On August 30, 2021, the Securities and Exchange Commission announced the filing of three settled actions against entities that were either registered investment advisers and/or broker dealers, based on deficient cybersecurity procedures.
The SEC’s August 30 announcement follows at least two other cyber-focused actions the SEC brought earlier this summer, which it filed against securities issuers. Together these actions demonstrate the Commission’s continued focus, across the spectrum of regulated entities, on procedures for responding to cyber incidents in a timely and efficient manner and on the accuracy of disclosures regarding any such incidents.
The three cases filed on August 30 involved eight financial firms grouped into three families of entities, identified by the Commission as the “Cetera” entities, the “Cambridge” entities, and KMS Financial Services Inc.
In each of the actions, the SEC found that unauthorized individuals had gained access to cloud-based email accounts maintained by the firms, resulting in the exposure of personal identifying information for more than ten thousand clients and customers.
The Commission found that, in each case, the entities failed to comply with the SEC’s Safeguards Rule, Regulation S-P, which requires registered broker dealers, investment companies, and investment advisers to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” According to the Commission, the firms failed to meet their obligations to their customers and clients to protect this information, either by partially or unsuccessfully implementing cybersecurity protocols, or by failing to adopt appropriate network safety policies altogether.
In addition, the Commission also found that the Cetera entities violated Section 206(4) of the Investment Advisers’ Act and Rule 206(4)-7 promulgated thereunder, both of which concern compliance policies and procedures, by making misleading breach notifications to their clients. In particular, the breach notifications, which were apparently based on a form letter, inaccurately represented the breach had occurred “recently” or only “two months” prior, when, in fact, the breach had occurred six months ago.
- These actions show that, despite the absence of cyber-specific regulations, the SEC will continue to use broad, general regulations concerning procedures, controls, and policies to require timely responses to cyber incidents and accurate disclosures to customers and clients concerning material incidents. At the same time, it bears noting that none of the actions filed August 30, or the two actions settled earlier this summer, involved a finding of any scienter-based violation of the securities laws.
- In the August 30 actions, the SEC placed particular emphasis on the entities’ failure to use, or timely implement, multi-factor authentication (“MFA”) for cloud-based email accounts. Particularly as the remote work environment continues, regulated entities would be well-served to consider using MFA, to the extent they do not already, particularly for cloud accounts that have access to clients’ personal identifying information.
- The August 30 actions further highlight that an organization must have, and follow, effective communication procedures for addressing and remediating cyber vulnerabilities once discovered. The KMS order notes, for example, that, “after the email account takeovers were discovered, KMS had the affected financial advisers’ email passwords reset, forwarding rules removed, and MFA enabled. However, these security measures were not fully implemented firm-wide until August 2020, which was approximately 21 months after discovery of the first breach, in which approximately 2,700 emails of one KMS financial adviser were exposed for a period of 26 days during which unauthorized third parties forwarded the financial adviser’s emails to an email address outside of the firm.”
- Further, as noted above, the SEC’s order found that Cetera sent breach notifications to the firms’ clients that included misleading language that the notifications were issued much sooner than they actually were after the discovery of the incidents. This finding reinforces the long-standing principle under the securities laws that, once an entity chooses to speak on an issue, even absent an affirmative duty to disclose, its statements must be complete, accurate, and not misleading.
- Finally, while the SEC’s activity in the cyber sector is certainly important and significant, regulated entities and their directors and officers should keep in mind that cybersecurity issues—including the types of issues discussed above—may also implicate a broad range of other legal duties and obligations under both federal and state law. For example, under Delaware law, directors are obligated to make a good-faith effort to implement and monitor oversight systems, particularly concerning issues critical to the company’s operations. Baker Botts’ cross-disciplinary team combines deep experience across these potentially applicable legal regimes with practical and technical know-how and is well-equipped to help entities and boards prepare for, and respond to, cybersecurity incidents.
 See Order, In the Matter of Pearson plc, File No. 3-20462 (Aug. 16. 2021), available at https://www.sec.gov/litigation/admin/2021/33-10963.pdf; Order, In the Matter of First Am. Financial Corp., File No. 3-20367 (June 14, 2021), available at https://www.sec.gov/litigation/admin/2021/34-92176.pdf.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.