As predicted in our Connect on Tech discussion in March, the U.S. Securities and Exchange Commission (“SEC”) is ramping up its examination and enforcement focus on cybersecurity at financial institutions, including scrutiny on actual implementation and deployment of published procedures in response to discovery of cyber breach incidents.  Furthermore, the SEC appears to signal its expectation that multi-factor authentication (“MFA”) for email accounts containing sensitive client and customer information should be in place.

Email Account Takeovers Resulting in Exposure of PII

On August 30, 2021, the SEC announced three settled enforcement actions for alleged failures in cybersecurity policies and procedures, linking these alleged failures to email account takeovers exposing the personally identifying information (“PII”) of thousands of customers and clients.  Two of the firms have both investment adviser and broker-dealer affiliates, while the third firm is a dual registrant. In all three matters, the SEC alleged cloud-based email accounts of personnel were taken over by unauthorized third parties and resulted in the compromise of client PII.

The conduct alleged included failure to adopt or fully implement effective written policies and procedures, with the result that:  in one case, breach notifications included misleading language suggesting that the incident was discovered sooner than was actually the fact; in another, the firm failed to enhance its processes after learning of the first email account takeover, resulting in the exposure and potential exposure of additional PII; and, similarly, in the third matter, the failure to act promptly by adopting effective policies and security procedures resulted in a much wider-ranging security breach.

The SEC found that all three firms violated Rule 30(a) of Regulation S-P, known as the Safeguards Rule, which is designed to protect confidential customer information. The SEC also found that two investment adviser affiliates at one of the firms had inadequate compliance procedures in violation of Section 206(4) of the Advisers Act and Rule 206(4)-7 in connection with breach notification to clients.  The SEC fined the firms between $200,000 to $300,000 after taking into consideration remedial measures.

Takeaways from SEC’s Enforcement Actions
  • Cybersecurity policies must be fully implemented and followed.  Just having written policies and procedures are not enough.  The SEC criticized one of the firms for failing to actually follow existing policies that the SEC otherwise found to be sufficient.  Firms should review and operationally confirm that their actual practices are consistent with their written cybersecurity policies.  Periodic training and awareness initiatives will also help personnel consistently follow firm written cybersecurity policies.
  • Timeliness matters in response to cybersecurity incidents. To demonstrate a firm’s reasonable response, consider consulting with outside counsel with expertise on best industry practices to address security incidents.
  • Deploy MFA for Firm Email Accounts.   The SEC did not specifically say that Regulation S-P requires MFA in all cases, but made clear its expectations that firms should have MFA in place (particularly once aware of the email account takeovers), as it is a reasonable approach to thwart phishing, credential stuffing, and other modes of attack. Firms should take steps to assess MFA requirements to protect sensitive client and customer information.
  • Ensure That Statements on Cybersecurity Incidents are Accurate.  The SEC faulted one firm for inadequate compliance in connection with inaccurate statements as to when the firm actually discovered the incidents.

Peter represents public companies, financial services firms, and other organizations in litigation, investigations, and regulatory actions by federal agencies. Former head of the SEC Chicago office's Municipal Securities and Public Pensions Unit, Peter also advises clients on compliance and regulatory matters impacting the municipal securities markets and investments by public pensions and other institutions. He is also a leading expert in advising companies and outside auditors in connection with SEC and other regulatory inquiries regarding financial restatements and disclosures.


Valerie is a partner in Baker McKenzie’s Financial Regulation and Enforcement Practice Group in North America. She regularly advises broker-dealers and investment advisers regarding federal and state securities laws and regulations, including FINRA rules, and counsels clients during all aspects of broker-dealer and investment adviser regulatory examinations and enforcement investigations.


Amy advises all manner of financial industry clients and SEC reporting companies, in connection with regulatory enforcement investigations and examinations, as well as internal investigations. Her clients include broker-dealers, investment advisers, hedge funds, mutual funds, securities issuers and reporting companies, commodities traders, and those providing services to those businesses.


Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.


Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.