Consumer data enforcements ramping up

The SEC’s recent charge against the Intercontinental Exchange and nine affiliates highlights the regulator’s focus on cyber security breaches around consumer information. These actions make it crucial for investment advisers to examine their data responsibilities at state level, to avoid getting caught in the fray of regulatory penalties.

Earlier this month, the SEC announced they will be charging the Intercontinental Exchange (ICE) and nine affiliates with failure to inform the commissions of a cyber intrusion. Ice has agreed to pay a $10 million penalty to settle the charge.

A third party notified ICE in April of 2021 that they were potentially impacted by a system intrusion through a previously unknown vulnerability in their VPN. Upon ICE’s research, they found malicious code that had been inserted into the organizations VPN, allowing remote access to their corporate network. Rather than immediately notifying ICE’s legal and compliance officials as is required under the firm’s cyber incident reporting procedures, the information was withheld for several days. This caused the organization to violate their disclosure obligations under Regulation SCI that requires them to provide an update to the SEC staff within 24 hours of the intrusion.

Gurbir S. Grewal, Direct of the SEC’s Division of Enforcements, commented on the importance of promptly reporting these incidents to the commission. “The reasoning behind the rule is simple: if the SEC receives multiple reports across a number of these types of entities, then it can take swift steps to protect markets and investors… When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.”

This enforcement comes at an interesting time. While this case focuses on a violation of Regulation SCI, there are several rules that have been passed or proposed recently regarding information breaches and the protection of consumer information. This can be seen reflected in the SEC’s decision to amend Reg S-P, as well as  the proposed Safeguarding Rule from August of 2023 and Cybersecurity Rule going back to April of 2022.

There’s a clear concern around changes in technology and their effect on the protection of information that investment advisers may hold or have access to. The recent penalties being handed out by the SEC point to the need for organizations to pay attention to breaches, notify clients, and hold themselves accountable. is the challenge then becomes keeping all the new requirements straight, with many aspects of these rules overlapping with one another. To add further confusion, there are often different requirements for data breaches that must be met at the state level depending on where clients or investors may reside.

How we can help

Our team of specialists and ex-regulators can take you through the implications of these changes and adapt your compliance systems accordingly.

We support our clients in navigating the nuances of regulatory compliance and answering difficult questions by drafting new policies, providing bespoke training and regularly conducting SEC mock examinations to give firms the opportunity to prepare for the real thing.