RT Jones Capital Equities Management, Inc., an investment adviser registered with the Securities and Exchange Commission, agreed to pay a fine of US $75,000 to resolve charges by the SEC for not having written cybersecurity policies and procedures to protect customer records and information in advance of a cyber-attack. According to the SEC, in July 2013, RT Jones’ third-party hosted web server was attacked by an unauthorized and unknown intruder who gained access and copy rights to data on the server. The SEC brought charges against RT Jones even though two consulting firms retained by the firm subsequent to the attack could not determine whether customer information was actually accessed or compromised, and the firm itself never learned of information indicating that any client had suffered any financial harm. Under the applicable SEC rule, said the Commission, RT Jones was obligated to implement written “policies and procedures reasonably designed” to ensure the security and confidentiality of customer records and information; protect against anticipated threats or hazards to such data; and protect against unauthorized access to such data that could cause “substantial harm or inconvenience to any customer.” (Click here to access the relevant SEC rule, Rule 30(a) of Regulation S-P.) RT Jones did not maintain such policies and procedures at the relevant time, claimed the Commission. The SEC noted that, since the cyber-attack, the firm has appointed an information security manager to oversee data security and customer information protection, and implemented a written information security program. (Click here for further information on this action in the article “SEC Enforcement Action Alleges an Adviser Failed to Adopt Adequate Cybersecurity Policies and Procedures; SEC Issues an Investor Alert on Data Theft” in the September 24, 2015 Advisory by Katten Muchin Rosenman LLP.)

Compliance Weeds: Expectations of regulators of registrants in both the securities and futures industry has been increasing during the past year regarding what cybersecurity protections should be in place to protect customer records and information. At the beginning of 2015, the SEC said it would focus on cybersecurity compliance and controls among its 2015 examination priorities for broker-dealers and investment advisers. (Click here for further details in the article “Cybersecurity, Potential Equity Order Routing Conflicts and AML Among the Top Examination Priorities for SEC in 2015” in the January 18, 2015 edition of Bridging the Week.) Just recently, on September 15, 2015, the SEC provided specific guidance on what it would look at in connection with these reviews. The SEC said it would focus on registrants’ governance and risk assessment related to cybersecurity; access rights and controls; data loss prevention; vendor management; training; and incident response. (Click here for further details in the article “SEC Discloses Elements of Cybersecurity Exams in the September 20, 2015 edition of Bridging the Week.) Also at the beginning of 2015, the Financial Industry Regulatory published a report identifying findings from its 2014 targeted examination of firms related to their cybersecurity practices and recommended practices broker-dealers should implement to minimize the impact of cybersecurity threats. (Click here for further details in the article “Industry Watchdogs Warn Brokers and Advisory Firms on Cybersecurity Threats” in the February 8, 2015 edition of Bridging the Week.) Moreover, last month, the National Futures Association submitted to the Commodity Futures Trading Commission for its approval a proposed Interpretive Notice requiring certain NFA members to maintain formal, written information systems security programs. Although the NFA made clear that its “policy is not to establish specific technology requirements,” it will require all relevant members to have supervisory procedures that are “reasonably designed to diligently supervise the risks of unauthorized access to or attack of their information technology systems, and to respond appropriately should unauthorized access or attack occur.” (Click here for further details, in the article “NFA Proposes Cybersecurity Guidance” in the September 13, 2015 edition of Bridging the Week.) Practically, any cyber breach that compromises customer personal information could leave an SEC or CFTC registrant vulnerable to an enforcement action if it had not previously adopted a written policy and procedure designed to minimize the threat of a cyber-attack and followed such procedure – whether or not an express requirement currently exists. (For additional information on how financial service firms might help protect themselves against cyber-threats, click here to access an Advisory entitled “Cyber-Attacks: Threats, Regulatory Reaction and Practical Proactive Measures to Help Avoid Risks” by Katten Muchin Rosenman LLP, dated June 24, 2015.)