On September 26, 2018, the US Securities and Exchange Commission (“SEC”) brought and settled charges against a registered broker-dealer/investment adviser (the “Registrant”) for allegedly violating the Gramm-Leach-Bliley Act Safeguards Rule (Regulation S-P) and the Identity Theft Red Flags Rule (Regulation S-ID).1 The Registrant allegedly violated the SEC’s rules by failing to implement appropriately designed policies and procedures to safeguard customer information, respond to identity theft red flags, and update or train employees and contractors on its identity theft prevention program. These alleged violations (the Registrant settled without admitting or denying the SEC’s findings) appear to have been identified by SEC examination staff during a routine exam and relate to a 2016 cybersecurity incident that involved unauthorized access to the personal information of 5,600 customers of the Registrant. This is the first SEC enforcement action under the Identity Theft Red Flags Rule since it was adopted by the agency in 2013.2