Skip to main content

Clifford Chance

Clifford Chance

Briefings

SEC Fines Eight Firms for Deficient Cybersecurity Practices, Issues Warning About Importance of Robust Policies and Procedures and Accurate Disclosures

September 7, 2021

In a strong statement about the importance of cybersecurity controls, on August 31, 2021, the Securities and Exchange Commission announced fines against eight registered investment advisers and broker-dealers for deficient cybersecurity practices that led to breaches of personal information of thousands of clients and customers. The charges come just days after the agency announced a $1,000,000 fine against a London-based publisher for improper disclosures relating to a 2018 cybersecurity breach, a clear indication that the Commission will continue its focus on ensuring registered entities have adequate measures in place to protect the personal data of their clients and customers. Emphasizing that the Commission expects more than just policies that appear appropriate on paper, Cyber Unit Chief Kristina Littman warned that it was "not enough to write a policy" if those policies aren't fully implemented. Notably, each charge highlighted the failure to require multi-factor authentication for email accounts of independent contractors with access to client and customer data—a strong signal to the industry to implement these security measures.

Download PDF