Cloud-based solutions can offer fund managers significant scalability, flexibility and remote accessibility. Nevertheless, advisers that move some or all of their information technology to the cloud remain subject to the same regulatory requirements applicable to traditional operations. To drive home that point, the SEC recently settled enforcement proceedings against three sets of advisory and brokerage firms in connection with breaches of their representatives’ cloud-based email systems that resulted in exposure of the personally identifiable information of thousands of clients. Each settlement order – which charges the respondents with violating the so-called “Safeguards Rule” under Regulation S‑P – focuses on the fact that none of the compromised email accounts was using multi-factor authentication at the time the account was hacked. This article details the events leading up to the enforcement actions, the alleged violations and the terms of the settlements, with key takeaways for fund managers from Jason Elmer, founder and CEO of Drawbridge Partners, and Elizabeth P. Gray, partner at Willkie Farr & Gallagher. See “FINRA Report Outlines Growing Adoption of Cloud Computing By Securities Industry and Associated Regulatory Concerns
” (Sep. 23, 2021); and our two-part series “The Challenges and Benefits of Multi-Factor Authentication in the Financial Sector”: Part One
(Nov. 2, 2017); and Part Two
(Nov. 9, 2017).