In late August of 2021, the SEC sanctioned eight financial services firms in three separate actions for security compliance failures. The SEC contends that the firms failed to establish and implement adequate cybersecurity policies and procedures. The SEC charged Cetera Entities, Cambridge, and KMS with violating Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which protects confidential customer information. According to the SEC, the failures “resulted in email account takeovers exposing the personal information of thousands of customers and clients.” The firms settled and agreed to pay $750,000 in fines.
The SEC’s enforcement actions against these companies should be a reminder of how crucial it is to have an effective cybersecurity program in place at your financial services firm. Security processes designed to prevent unauthorized access, malware, phishing, viruses, ransomware, and other malicious threats will both protect your firm from criminals and fines, penalties, and lawsuits.
What’s at Stake?
Cybersecurity incidents involving breaches of personally identifiable information—like social security numbers, credit card details, and bank accounts—can cause significant damage to a firm’s business reputation. Furthermore, your firm may face fines, lawsuits, regulatory investigations, and even legal liability. In addition, remediation costs, including lost revenues, damages, penalties, and settlements, are also likely. A typical data breach costs companies $4.24 million per incident, according to a July 2021 report from IBM.
The SEC Means Business
It seems that the current landscape of ransomware and other cyber threats has spurred the SEC to take a more aggressive stance against security compliance deficiencies. As a result, this summer has seen additional enforcement actions from the body. In June, the SEC charged First American Financial Corporation and later Pearson for similar exposures of sensitive customer data. This indicates that the SEC is moving to heighten its enforcement of cybersecurity rules and disclosure procedures amongst public companies. Key areas of focus in the recent sanctions have focused on:
- Failure to implement and adopt widely accepted cybersecurity best practices.
- Insufficient timely disclosures of lapses when they were identified
- Inadequate and misleading language in breach notifications to clients and regulators about incidents
“Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit about the August announcement. “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
Safeguard Your Financial Services Firm from Security Compliance Errors
This increased enforcement should serve as a wake-up call to financial institutions: Senior executives must better safeguard the personal information entrusted to them by consumers.
Accordingly, Coretelligent recommends that all financial advisors, brokers, and investment firms review their current cybersecurity vulnerability and compliance programs and consider implementing additional defenses to protect client information.
So, let’s start with some basics. What do the SEC security requirements include? Here are just some of the key elements that financial service firms can apply for strengthening their cybersecurity safeguards.
- Implementing and maintaining comprehensive written policies regarding cybersecurity
- Establishing and regularly testing computer network defenses
- Developing and executing a risk assessment plan
- Training employees about cybersecurity risks
- Ensuring that usernames and passwords used by employees comply with industry standards
- Implementing multi-factor authentication
- Monitoring network traffic for suspicious activity
- Notifying regulators promptly after discovering a breach.
At Coretelligent, our security and compliance solutions are designed with the needs of financial services organizations in mind. When you work with Coretelligent, you are gaining an IT partner who truly understands the security compliance needs of the financial services sector. Free your team to innovate at scale while we provide your financial services company with the solutions to protect against cyberattacks and fines from data breaches. Contact us today at 855-841-5888 or fill out our online form to receive a quick return call.