Based upon the formal and informal expectations of state and federal securities regulators, every investment adviser should consider developing a written information security plan. Rule 30 of Regulation S-P issued by the U.S. Securities and Exchange Commission (“SEC”) requires SEC registered investment advisers to adopt written policies and procedures designed to ensure the security and confidentiality of client information. The enforcement of Rule 30 was highlighted by a recent SEC enforcement action against an investment adviser who had their trading system hacked. A year before the hacking occurred, an internal audit showed that the adviser did not utilize strong passwords. When the hacking occurred a year later, the investment adviser had taken no action to increase password security. Thus, the adviser was fined $275,000 for failing to safeguard customer information.