The U.S. Securities and Exchange Commission (SEC) is sending a clear message to all its regulated companies. The days of complacency, shoddy follow-through and minimal investment into cybersecurity compliance programs are over.

What You Need to Know

• Of the 6.3 billion global web attacks in 2020, 736 million targeted the financial services business.

• The most likely cybersecurity threats for a small office are manageable, even for a non-technical employee.

• Beware of non-computer items that offer gateways to your network, like coffee makers.

Companies of all sizes have adapted to remote and hybrid models for the workplace, and many are making the changes permanent as employees grow accustomed to this new environment. Today’s digital economy presents unique opportunities for small and medium-sized businesses (SMBs) to connect with employees and customers in new and efficient ways but comes with considerable cyber risk.

Connecticut has become the third state to pass a “Safe Harbor” statute offering protection to businesses who face civil lawsuits based on data breaches.

On October 29, 2021, Commissioner Elad L. Roisman spoke to the Los Angeles County Bar Association and discussed the challenges SEC registrants face when dealing with cyber threats. In addition to articulating the current obligations of Registered Investment Advisors (“RIAs”) regarding cybersecurity, Roisman expressed his belief that further rulemaking is necessary to clarify advisors’ obligations. His speech can be reviewed at https://www.sec.gov/news/speech/roisman-cybersecurity-102921.

A hacker exposed personal information for millions of Robinhood users.

Popular stock trading app Robinhood recently experienced a security breach that exposed the personal information of millions of users. While most Robinhood users—and their investments—are safe, there are still important steps you should take to keep your accounts and personal data secure.

What was stolen in the Robinhood security breach?

The Securities and Exchange Commission’s current rules relating to cybersecurity need to be enhanced with a new one specifically addressing reporting of cybersecurity breaches by registered investment advisors and broker-dealers, according to one of its commissioners.

The SEC has some general rules relating to cybersecurity already in place, Commissioner Elad Roisman, a Republican appointee, said in prepared remarks for his speech at the Los Angeles County Bar Association last week. The Safeguards Rule, implemented in 2000, for example, requires broker-dealers to implement policies and procedures to protect client records and ensure confidentiality of customer information as well as protect against unauthorized access, he said. The SEC also adopted a rule in 2013 requiring certain SEC-regulated entities to have policies and procedures aimed at preventing identify theft, according to Roisman.

Earlier this year, Utah joined Ohio to become the second state to enact legislation creating an affirmative defense to certain causes of action arising out of a cybersecurity breach. Though not identical, both Utah’s Cybersecurity Affirmative Defense Act (“CADA”) and Ohio’s Data Protection Act (“ODPA”) primarily underscore the importance for organizations to be proactive in assessing their cybersecurity risk landscape and to then adequately address those risks. What makes these two new laws unique is that the affirmative defenses apply across all U.S. jurisdictions and give organizations an opportunity to mitigate against breach-related litigation, including class actions, unless and until a court decides otherwise. To benefit, organizations should ensure they (1) comply with the law and (2) update the choice of law clause in their website terms and conditions.

Registered investment advisers that rely on independent investment adviser representatives (IARs), operating their own offices, face unique supervision challenges. The SEC’s administrative action against Horter Investment Management, LLC (“Horter”) and its principal illustrates the worst-case scenario. The firm, based in Cincinnati, primarily hired IARs with remote offices.

In our first article to kick off Cybersecurity Awareness Month, we will discuss some steps businesses can take to improve their cyber hygiene. Over the past few years, some of the largest and well-known companies have been affected by data breaches resulting in millions of dollars in losses. Smaller businesses are not immune from data breaches, and even a small data breach impacting only a few thousand records can expose a business to significant losses and reputational damage that may have a devastating impact on its ability to function. Various attack methods can be used against businesses to obtain sensitive data or access funds through fraud. Some common attack methods are compromised credentials, social engineering attacks such as phishing, vishing, and smishing, business email compromise scams, ransomware, and vulnerabilities in third-party software. While no business can expect to be 100% safe, here are some basic practices businesses can implement to improve their cyber hygiene.