In today’s ever-interconnected society, protecting the stability and security of cyber infrastructure and the personal information stored therein has never been of greater importance. Recognizing this need, the United States Securities and Exchange Commission (“SEC”) has taken marked steps to protect the security of investor records and information that broker-dealer firms possess.
In fact, the SEC has recently begun sanctioning the very victims of cyberattacks – investment firms that have fallen prey to such attacks – citing their deficient cybersecurity procedures as partly to blame for the unauthorized third-party access to investor’s private information. 
On August 30, 2021, the SEC released three orders sanctioning eight firms for their failures in protecting their customers’ personally identifiable information due to inadequate cybersecurity policies and procedures. These orders each proceeded as violations of Rule 30(a) of Regulation S-P, colloquially known as the “Safeguards Rule.”