As it continues to enforce appropriate cybersecurity controls, the SEC initiated administrative proceedings against broker-dealer Craig Scott Capital and its principals for failing to protect confidential consumer information by using personal email addresses for business matters. “The enforcement action, including the fines imposed, reflects how seriously the SEC takes the adoption of and compliance with proper policies and procedures,” Anastasia Rockas, a partner at Skadden, told the Hedge Fund Law Report. This enforcement action is particularly relevant to any hedge fund manager that: has an in-house broker-dealer; has high net worth individuals as clients; manages alternative mutual funds and thus has retail investors; or is subject to any look-through of its institutional clients to underlying individual investors. However, all hedge fund managers should pay close attention given that, as Rockas noted, the “SEC has indicated there will be additional enforcement actions in this space and has designated cybersecurity as an examination priority for 2016.” See “OCIE Risk Alert Provides Cybersecurity Guidance to Investment Advisers and Broker-Dealers
” (Sep. 24, 2015). For another case involving penalties for inadequate cybersecurity controls, see “Investment Adviser Penalized for Weak Cyber Policies; OCIE Issues Investor Alert
” (Oct. 1, 2015).