May 20, 2021

The SEC last week announced a settlement with a Colorado-based registered broker-dealer for allegedly failing to file Suspicious Activity Reports (SARs) and filing incomplete SARs on attempted cyber intrusions into its customers’ electronic retirement accounts. The settlement is in the wake of the SEC’s 2021 examination priorities and a March 2021 SEC risk alert emphasizing that broker-dealers must file complete SARs when bad actors attempt to gain access to customers’ online accounts or electronically stored personal data. The SEC’s order also follows guidance issued from the Financial Crimes Enforcement Network (FinCEN) to banks, casinos, broker-dealers, and other entities that are required to file SARs (Reporting Entities) emphasizing that FinCEN expects Reporting Entities to file complete SARs on all cyber-intrusions.[1]

This client alert examines the SEC’s recent settlement with a broker-dealer for failing to file SARs—including for failure to file adequately detailed SARs—on cyber-intrusion events, summarizes recent guidance by the SEC and other federal regulators on SAR filings on cyber-intrusions, and discusses the key takeaways from the SEC’s recent action and agency guidance on cyber-events. 

To read the full alert, please click here