Contact Us

Math Captcha   84 − = 82

* Required Fields

Contact Us

What Does It Take To Get The Message?

What Does It Take To Get The Message?

OCTOBER 13, 2015

Recently, the U.S. Securities and Exchange Commission (SEC) censured an investment advisory firm and levied a $75,000 fine because it did not have a cybersecurity program in operation before a breach occurred. According to the SEC Order the firm had:

  • No written policies and procedures reasonably designed to protect clients’ personal information;
  • No periodic risk assessments;
  • No firewall to protect the server containing clients’ personal information;
  • No encryption for clients’ personal information; and
  • No procedures for responding to a cybersecurity incident.

SEC regulations and daily news of cybersecurity incidents are widely reported. Plus, the most recent SEC Guidance Update on the topic was issued as recently as April of this year.

Even with all these warnings, guidance, and news reports, many businesses still labor under the false illusion that “it will not happen to me,” or “I am too small to be an attractive target.” Unfortunately, intruders of many varieties, with agendas ranging from government-sponsored espionage to organized criminal activity to social revolution to simple thrill seekers, are looking for someone every minute of every day.

The price of being unprepared can be enormous. In a situation like this, the victim firm retained two cybersecurity firms, hired a lawyer to defend itself against the SEC, paid the fine, and offered free identity protection coverage to every individual whose personal information may have been compromised. One recent study estimated the cost of a data breach to be $154 per record. In this situation, the firm must also spend a considerable sum to establish a cybersecurity system that will satisfy the SEC’s requirement for a reasonable defense. In addition, the possible loss of future revenue, because clients move elsewhere, is never really predictable and can be devastating.

Every entity must have a cybersecurity program and an incident response plan in place. This is particularly clear for firms registered with the SEC, which has delineated the issues and identified what is required to satisfy its regulations.

Please hear the warning message and start your program immediately. If you lack the internal resources to establish such a program, cybersecurity consultants like Guidepost Solutions are readily available to tailor a program that fits your needs and budget. The money will be spent one way or another – choose to prepare for a defense against an attack, then pay to clean up the mess after one.

About the author


Kenneth C. Citarella is senior managing director for the Investigations and Cyber Forensics practice at Guidepost Solutions LLC.  He has more than 30 years of experience investigating and prosecuting white collar crime and computer crime. Kenneth can be reached at


Please enter your email to subscribe. By doing so, you are opting-in to receive news from Guidepost Solutions LLC.

Math Captcha   − 1 = 6