SEC Issues $325K Fine in Data-Protection Crackdown

The Securities and Exchange Commission charged a registered investment advisor with failing to comply with Regulation S-P requirements, and more enforcement actions are expected now that updates to the rule have kicked in, compliance consultants said.

The Securities and Exchange Commission last month charged a $4 billion registered investment advisor with failing to comply with agency's data-protection and identity-theft prevention rules following a cybersecurity breach that exposed customer information.

Portland, Oregon–based M Holdings Securities agreed to pay a $325,000 civil penalty after the SEC found the firm failed to adopt policies and procedures to protect customer records and information in violation of Regulation S-P and Regulation S-ID, according to the SEC's order.

The charges came just a week before the SEC's updates to Reg S-P took effect and indicate the regulator will likely launch similar enforcement actions, compliance consultants told FundFire.

How to Right-Size Your Cybersecurity Program Under the New Reg S-P Amendments

"We should expect to see more of these cases," said Igor Rozenblit, a managing partner at Iron Road Partners and former co-head of the private funds unit within the SEC's examinations division. "I anticipate that a significant share will involve situations where a firm was aware of a vulnerability but failed to remediate it. The SEC's newly amended Regulation S-P, with its expanded requirements for vendor oversight, will provide regulators with an additional avenue for enforcement."

The SEC unanimously approved amendments to the rule last year, aimed at bolstering data-privacy measures and protecting sensitive customer information by requiring industry firms to notify clients when information is exposed through cyberattacks or other breaches. And compliance with Reg S-P is among the SEC's major exam priorities for 2026.

In the case of M Holdings, which provides investment advisor and broker-dealer services through a nationwide network of advisor firms, the SEC charges came after unauthorized third parties accessed email accounts at several of the firm's branch offices. The breach, which occurred between July 2019 and March 2024, exposed the personally identifiable information and records of roughly 8,500 individuals, many of them M Holdings clients, the SEC said.

The third parties then sent phishing and other "malicious credential-harvesting" emails from the compromised accounts, according to the SEC's order. Four of the member firms experienced two email "takeovers" between 2019 and 2024, per the SEC. The takeover of one email account resulted in an unauthorized wire transfer from a customer's account.

M Holdings had lacked written policies and procedures governing information security across its member firms until September 2020, when it required its member firms to adopt their own information-security policies and controls such as multi-factor authentication, incident-response policies and security-awareness training, according to the SEC. But the policy and new requirements were not reasonably designed, the agency said, and many of M Holdings' member firms continued to lack the required policies and controls. Additionally, M Holdings allegedly did not revise its policies to address those issues.

M Holdings did not admit or deny the charges. A spokesperson for the firm did not immediately respond to a request for comment. The firm has since undertaken efforts to bolster its information-security and cybersecurity programs, according to the SEC.

As the compliance deadlines for the amended S-P rule kick in, examiners are engaging with firms about their progress in establishing incident-response programs, according to the agency. The SEC is expected to launch a targeted exam sweep focused on the amended Reg S-P requirements, followed by a risk alert, Robert Baker, a managing director at ACA Group and former assistant regional director in the SEC's examinations unit, said in an email.

The updated Reg S-P rules now require firms to inform clients within 30 days if their information was compromised in a cyberattack or other data breach. It also requires service providers to inform their client firms within 72 hours that a security breach resulted in unauthorized access to customer information. Previously, firms were only required to inform clients about how their personal data was being used.

The first compliance date went into effect on Wednesday and applied to large firms with $1.5 billion or more in assets, which are required to adopt written policies and procedures as part of their incident-response programs to address unauthorized access to, or the use of, customer information.

"The recent enforcement action against M Holdings under Regulation S-P is a strong indication that we may see more cases of this type across the industry," Cynthia Kelly, managing director of compliance at STP Investment Services, said in an email. "[F]irms must not only adopt written policies and procedures to safeguard customer data, but also implement robust incident response and customer notification programs, maintain effective oversight of service providers, and ensure that the rule's expanded definition of customer and consumer information is fully addressed."

Reg S-P has been a hot topic in the industry, said Mike Pappacena, a partner at ACA Group.

"Many firms we've seen have established incident response plans ... but that's only a portion of it," he said during a webinar focused on Reg S-P last month. "Firms need to have a program that really looks at incident management in the full life cycle, from detecting, responding to and recovering from incidents where there is unauthorized access or use of customer information."

Examiners are expected to focus on the risks associated with third-party vendors, an area where firms have been struggling, Matthew Shepherd, a director at ACA, said during the webinar.

"The most difficult thing has been addressing that vendor-oversight component," he said. "Actually getting those vendors to play ball with you and agree to make incident notifications in 72 hours ... that's the biggest challenge." SOURCE