Key takeaways

• In the wake of recent cybersecurity guidance, the SEC’s settlement with an investment adviser for lacking proper cybersecurity policies and procedures highlights the steps firms must take to plan and prepare for a data breach.
• The SEC expects firms to establish, and regularly test and update, cybersecurity policies and procedures, including an incident response plan.
• Firms should also be aware that risky data security practices may lead to liability. The SEC held the firm liable for: (1) outsourcing data without appropriate safeguards, (2) choosing not to encrypt sensitive customer information, and (3) failing to “prune” extraneous or unnecessary customer data.