SEC Brings Enforcement Action Against a Broker-Dealer for Weak Cybersecurity Controls

On April 12, 2016, the U.S. Securities and Exchange Commission (“SEC”) continued its enforcement of reasonable cybersecurity controls, announcing cease and desist proceedings against a broker-dealer and two of its principals under Regulation S-P for its “failure to adopt written policies and procedures reasonably designed to ensure the security and confidentiality of customer records and information.” The SEC also found the broker-dealer in violation of Section 17(a) of the Exchange Act and Rule 17a-4 thereunder for failing to “make and keep certain communication relating to its business.” Although there was no allegation that any client suffered financial harm, the broker-dealer settled for $100,000, while the principals settled for $25,000 each.

The broker-dealer, Craig Scott Capital, LLC (“CSC”), used email addresses other than those within its domain name to electronically receive more than 4,000 faxes from customers and other third parties, which routinely included sensitive customer records and information, such as customer names, addresses, social security numbers, bank brokerage account numbers, copies of driver’s licenses and passports, and other customer financial information. The two settling principals of CSC also used their personal, non-CSC email addresses for matters relating to the business of CSC. The SEC also found that CSC did not maintain and preserve either these faxes or this email correspondence as required by Section 17(a) of the Exchange Act.

Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30 (a)), otherwise known as the “Safeguards Rule,” requires that every broker-dealer registered with the SEC adopt policies and procedures reasonably designed to: (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to, or use of, customer records or information that could result in substantial harm or inconvenience to any customer. The SEC adopted amendments to the Safeguards Rule in 2005 that require that policies and procedures adopted thereunder be in writing. Though CSC had written supervisory procedures (“WSPs”) during the relevant period, the SEC found that these WSPs were not reasonably designed to protect customer records and information, as required by the Safeguards Rule, since they (i) failed to designate the responsible supervisor, (ii) failed to address how customer records and information transmitted through the fax system were to be handled, (iii) contained blanks as to how CSC was to comply with the Safeguards Rule, and (iv) were not tailored to the actual practices at CSC.

This enforcement action against CSC is a warning and reminder for registered firms to:

  • carefully construct cybersecurity and other written policies and procedures
  • make sure these policies and procedures are complete and tailored to the companies’ business and practices
  • review cybersecurity practices to ensure that information security measures are consistent with the emerging standard of care to be enforced by regulators;
  • never use non-domain emails or fax accounts for business purposes, especially relating to personally identifiable customer information.

It is also a reminder that off-the-shelf compliance manuals that are not effectively implemented remain a target for SEC enforcement.