A large broker-dealer/investment adviser agreed to pay a $1 Million fine because its technology safeguards failed to prevent an employee from downloading and misappropriating personal customer information. The SEC asserts that the employee found a weakness in the firm’s authorization procedures, thereby allowing him to access customer information unrelated to his book. The SEC maintains that the employee misappropriated data for over 700,000 client accounts and then transferred the data over the internet to his personal server. The SEC accuses the respondent firm with violating Regulation S-P’s Safeguards Rule because its policies and procedures failed to properly restrict access, ensure auditing/testing of their effectiveness, and monitor employee access.
OUR TAKE: The SEC appears to impose a strict liability standard on cybersecurity breaches. Although it appears that the firm had significant cybersecurity policies in place, the fact that an employee was able to hack the system to misappropriate customer information makes it difficult to argue that those policies and procedures were reasonable.