On Sept. 22, 2015, the Securities and Exchange Commission (SEC) announced the first violation by a registered investment advisor of the so-called Safeguards Rule (Regulation S-P) pertaining to the protection of personally identifiable information from cyber-attack. This is the first instance of the SEC enforcing Regulation S-P against an investment advisor. The Regulation, broadly speaking, requires broker-dealers, investment advisers and other financial firms to protect confidential customer information from unauthorized release to unaffiliated third parties. Included in Regulation S-P is the “Safeguard Rule” (Rule 30(a)), which requires financial institutions to, among other things, adopt written policies and procedures reasonably designed to protect customer information against cyber-attacks. This raises the question: Are you prepared for a cyber-attack (and the attendant liability)? In its findings, the SEC found that the registered investment advisor had stored personally identifiable information on a third-party server that was hacked. Ultimately, it appeared that the cyber-attack had come from China. It does not, at this time, appear that any of the personally identifiable information has been used. Furthermore, the registered investment advisor acted quickly to alert its clients about the attack and provided identity theft monitoring. Nonetheless, the SEC imposed a $75,000 fine on the registered investment advisor. Its primary reason for doing so was because the firm did not have sufficient written policies and procedures in place to protect personally identifiable information. It had, for example, allegedly failed to conduct periodic risk assessments, implement a firewall, or otherwise protect files from a cyber-attack. Ultimately, to be prepared for the same sort of investigation, a best practice for every registered investment advisor is to do a critical assessment of the manner in which its customer data is stored. Anticipate regulators requiring such data to be encrypted and otherwise secured from cyber-attack. For registered investment advisors using third-party service providers, a best practice is to ensure that the third-party service providers are audited and certified as having secure methods in place to protect customer personally identifiable information. In addition, registered investment advisors would be wise to ensure that they have some form of insurance coverage for those risks, including an investigation, fines and damages. Coverage for such regulatory investigations may be available under stand-alone cyberinsurance policies or in the form of coverage for regulatory investigations and actions under a director and officer liability insurance policy. Cyberinsurance policies differ significantly in the market place, and the availability of regulatory investigation coverage under D&O insurance policies varies. Registered investment advisors should consider consulting insurance coverage counsel to evaluate whether their insurance policies might provide insurance coverage for such matters.
RELATED ARTICLES
After a Ransomware Attack, Does Property Insurance Cover Damaged Software and Hardware?
February 11, 2020 | Policyholder Protection, Cyber Insurance, Policy, Data Security
A Ransomware Attack Could Devastate Your Company. Will Your Insurance Cover It?
November 4, 2019 | Policyholder Protection, Cyber Insurance, Data Security
Avoid Insurance Related Risks to Help Your Bottom Line
January 25, 2018 | Cyber Insurance, Insurance, Risk Management, Policyholder Protection
Who Gets Coverage?
December 19, 2017 | Cyber Insurance, Data Breach, Data Security, Indiana Insurance Coverage, Insurance, Policyholder Protection
Scott Godes quoted in Legaltech News Article "Cyberinsurance: A Necessary Protection in the Digital Era?"
April 25, 2016 | Cyber Insurance, Policyholder Protection
After a Ransomware Attack, Does Property Insurance Cover Damaged Software and Hardware?
February 11, 2020 | Policyholder Protection, Cyber Insurance, Policy, Data Security
A Ransomware Attack Could Devastate Your Company. Will Your Insurance Cover It?
November 4, 2019 | Policyholder Protection, Cyber Insurance, Data Security
Avoid Insurance Related Risks to Help Your Bottom Line
January 25, 2018 | Cyber Insurance, Insurance, Risk Management, Policyholder Protection
Who Gets Coverage?
December 19, 2017 | Cyber Insurance, Data Breach, Data Security, Indiana Insurance Coverage, Insurance, Policyholder Protection
Scott Godes quoted in Legaltech News Article "Cyberinsurance: A Necessary Protection in the Digital Era?"
April 25, 2016 | Cyber Insurance, Policyholder Protection
Scott Godes Quoted in Law360: Insurance Article “Data Breach Report Shows Cyberinsurance Not A Cure-All”
March 16, 2016 | Data Breach, Policyholder Protection
Scott Godes quoted in Law360 Article, “Privacy ‘Bill of Rights’ to Boost Demand for Breach Coverage”
October 27, 2015 | Cyber Insurance, Policyholder Protection
Scott Godes Quoted in Law360 Article, “A Cyberattack Survival Guide for Policyholders”
October 2, 2015 | Cyber Insurance, Data Breach, Policyholder Protection
My Company Doesn’t Have Cyberinsurance: Where Do I Start?
September 17, 2015 | Cyber Insurance, Policyholder Protection
What Insurance Should Cover Target’s Visa Settlement?
August 20, 2015 | Cyber Insurance, Data Breach, Policyholder Protection
Scott Godes Quoted in Law360 Article, “4 Insurance Takeaways from Lloyd’s Cyberattack Report"
July 14, 2015 | Cyber Insurance, Policyholder Protection
Scott Godes Quoted in Law360 Article, “4 Cyberinsurance Battlegrounds to Watch”
July 6, 2015 | Cyber Insurance, Policyholder Protection
Cyber Insurance is Only for Retailers, Right?
June 17, 2015 | Cyber Insurance, Policyholder Protection
Scott Godes to Speak at Upcoming ACI Cyber & Data Risk Insurance Conference
May 26, 2015 | Data Security, Policyholder Protection
Will Your Tech E&O Insurance Cover Your Retention of Someone Else’s Electronic Data?
May 12, 2015 | Cyber Insurance, Policyholder Protection
Scott Godes Quoted in Law360 Article, "Cyberinsurance Thaw Hinges On Data-Sharing Bills”
April 29, 2015 | Cyber Insurance, Policyholder Protection
5 Tips for Evaluating Cyberinsurance Policies
April 2, 2015 | Cyber Insurance, Policyholder Protection
Godes Quoted in Law360 Article: 5 Tips For Navigating 'Wild West' Of Cyber Policies
March 19, 2015 | Cyber Insurance, Policyholder Protection
Cybercrime: How Insurance Can Protect Your Company
March 17, 2015 | Cyber Insurance, Policyholder Protection
Scott Godes Quoted in Advisen’s Cyber Risk Network Weekly Download
March 2, 2015 | Cyber Insurance, Policyholder Protection
Scott Godes Quoted in Business Insurance
February 24, 2015 | Cyber Insurance, Policyholder Protection
The Other Cyber Shoe Has Dropped – What Does that Mean for Your Insurance Program?
December 9, 2014 | Cyber Insurance, Data Breach, Policyholder Protection
If Your System Was Attacked by “Backoff” Malware, Would Your Insurance Cover A Data Breach Involving Credit Card Numbers?
August 28, 2014 | Cyber Insurance, Data Breach, Policyholder Protection
Scott Godes to present at ACC-SoCal's Networking Cocktail Reception: "Be a Cyber Risk Hero – Understand the Risks and Learn Best Practices to Get Them Insured."
July 3, 2014 | Cyber Insurance, Data Breach, Policyholder Protection
Scott Godes and Ken Gorenberg present "Taking the Target Off Your Back: Insurance Coverage for Data Breaches and Other Cybersecurity Threats"
May 21, 2014 | Cyber Insurance, Data Breach, Policyholder Protection
Scott Godes to present at the AFP® Annual Conference in Washington, DC
May 14, 2014 | Cyber Insurance, Data Breach, Policyholder Protection
Scott Godes to present at the 21st Annual Nonprofit Risk Management Seminar
May 13, 2014 | Cyber Insurance, Data Breach, Policyholder Protection
Scott Godes presents "Cultivating Ethics: Mitigating Vulnerability to Cyber and Data Security Threats in Order to Maintain Client Confidentiality"
May 8, 2014 | Cyber Insurance, Data Breach, Policyholder Protection
Increasing data breach costs should lead to a review of insurance policies and vendor contracts
May 8, 2014 | Cyber Insurance, Data Breach, Privacy, Policyholder Protection
Chris Yetka presents "Cyber Risk: The Cost of a Breach"
May 7, 2014 | Cyber Insurance, Privacy, Policyholder Protection
Scott Godes to Speak at the NetDiligence Cyber Risk & Privacy Liability Forum June 11-13, 2014
April 29, 2014 | Cyber Insurance, Policyholder Protection
5 Tips For Reviewing And Buying Cyberinsurance
April 29, 2014 | Cyber Insurance, Policyholder Protection
RELATED PRACTICE AREAS
Subscribe
Do you want to receive more valuable insights directly in your inbox? Visit our subscription center and let us know what you're interested in learning more about.
View Subscription Center