The Security Exchange Commission’s first ever enforcement action in the cybersecurity arena was filed against this investment advisor in September 2015 for failing to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information of over 100,000 individuals for a four-year period until July 2013 when the advisor discovered the breach.
The regulator imposed a financial penalty of $75,000 on the advisor, in spite of there being no evidence that any customer was defrauded/harmed by the incident and the advisor were swift to notify customers and establish free identity theft monitoring, the SEC concluded that the advisor had failed to comply with the 'safeguards rule' which requires firms to adopt written policies and procedures reasonably designed to protect customer records and information.
This case study demonstrates why companies must consider the regulatory compliance implications that these threats give rise to as well as the direct business and financial risks they present.
Want to discuss this case? You can purchase a 30 minute conference call with our analysts to discuss this case and the implications it has for your organisation. Just select the time and date that works for you: