Publication
Africa is not just navigating its relationship with China
Earlier this month, President Ramaphosa attended a state visit to China with President Xi Jinping before the 9th Forum on China-Africa Cooperation (FOCAC) in Beijing.
Global | Publication | September 2015
On September 22, 2015, the US Securities and Exchange Commission (SEC) announced that an investment advisor firm had agreed to settle allegations that it failed to adopt written cybersecurity policies and procedures reasonably designed to safeguard customer information.
The SEC enforcement action was prompted by an attack by an unknown intruder on the firm’s third-party-hosted web server, which resulted in the intruder gaining access rights and copy rights to personally identifiable information pertaining to over 100,000 individuals, including clients of the firm.
While the firm provided notice of the breach and offered free identity theft monitoring services to all affected individuals, took prompt remedial action to mitigate against the risk of future cyber threats, and there was no indication that any client suffered financial harm as a result of the attack, the SEC instituted administrative cease-and-desist proceedings, alleging the firm had failed for nearly a four-year period to adopt written policies and procedures reasonably designed to safeguard its clients’ personal information as required by the “Safeguards Rule.”
The Safeguards Rule under SEC Regulation S-P requires every investment advisor to adopt written policies and procedures to, among other things, protect against any anticipated threats or hazards to the security or integrity of customer records and information.
The SEC Order1 asserts that the firm failed to adopt reasonable written policies or procedures for protecting clients’ information, including:
The firm neither admitted nor denied those allegations, but agreed, among other things, to pay a civil monetary penalty in the amount of $75,000 to the SEC.
The SEC’s action demonstrates its willingness to:
The SEC Order further underscores the increasing focus of securities regulators on cybersecurity in relation to the integrity of the market system, client data protection, and disclosure of material information.
This enforcement proceeding is the latest, but not the sole illustration of US and Canadian securities regulators’ interest in cybersecurity. For example:
1 http://www.sec.gov/litigation/admin/2015/ia-4204.pdf
2 Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit, as quoted in SEC Press Release “SEC Charges investment Advisor With Failing to Adopt Proper Cybersecurity Policies and Procedures Prior to Breach” (September 22, 2015) http://www.sec.gov/news/pressrelease/2015-202.html
3 http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
4 http://www.osc.gov.on.ca/en/SecuritiesLaw_csa_20130926_11-326_cyber-security.htm
5 See http://www.finra.org/industry/2015-cybersecurity-report and http://www.cftc.gov/idc/groups/public/@lrlettergeneral/documents/letter/14-21.pdf
6 See for example SEC Office of Compliance Inspections and Examinations, “OCIE’s 2015 Cybersecurity Examination Initiative” (September 15, 2015) http://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf
7 https://www.osc.gov.on.ca/en/NewsEvents_nr_20150602_jsot-hospital-privacy-breach.htm
Publication
Earlier this month, President Ramaphosa attended a state visit to China with President Xi Jinping before the 9th Forum on China-Africa Cooperation (FOCAC) in Beijing.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023