On September 26, 2018, the SEC announced that it settled charges against a broker-dealer/investment adviser related to its failures to adopt and implement adequate cybersecurity policies and procedures. The failures were identified in connection with a cyber intrusion that compromised personal information of thousands of customers. The firm agreed to be censured and pay a $1 million penalty.
The SEC charged VFA with violating Rule 30(a) of Regulation S-P (Safeguards Rule), which requires every broker-dealer and every investment adviser registered with the SEC to adopt written policies and procedures that are reasonably designed to safeguard customer records and information. The SEC also charged VFA with violating Rule 201 of Regulation S-ID (Identity Theft Red Flags Rule), which requires registered broker-dealers and investment advisers that offer or maintain covered accounts to develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account.
VFA agreed to be censured and pay a $1 million penalty, and will retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule and related regulations.
Click here to access the SEC order.