SEC Fines Investment Adviser—a Victim of a Cybersecurity Breach— for Failing To Adopt Written Policies and Procedures Reasonably Designed To Protect Customer Records and Information
On September 22, 2015, the U.S. Securities and Exchange Commission entered into a settlement agreement with R.T. Jones Capital Equities Management, Inc. relating to its “failure to adopt written policies and procedures reasonably designed to protect customer records and information.”1 The SEC censured the investment adviser, ordered that it cease and desist from further violations, and imposed a civil penalty of $75,000. In connection with the settlement, Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit, noted that firms “need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”2
According to the SEC order, R.T. Jones, an SEC-registered investment adviser, provided advice to retirement plan participants through an online system that allowed participants to manage their investment accounts. The plan sponsors provided to R.T. Jones the personally identifiable information (“PII”) of all eligible plan participants. R.T. Jones required prospective clients to log on to its website and enter their name, date of birth and social security number, and would attempt to match this information against the information provided by the plan sponsors to confirm eligibility. R.T. Jones possessed PII for over 100,000 individuals, although fewer than 8,000 used its services. R.T. Jones maintained the PII on a third party-hosted web server without modification or encryption. Access to the PII was limited to two administrators.
In July 2013, R.T. Jones’s “web server was attacked by an unauthorized, unknown intruder.” The firm promptly retained the services of two cybersecurity consulting firms “to confirm the attack and assess the scope of the breach.” Forensic analysis indicated “that the cyberattack had been launched from multiple IP addresses, all of which traced back to mainland China, and that the intruder had gained full access rights and copy rights to the data stored on the server.” However, the attacker destroyed the relevant log files and “the cybersecurity firms could not determine whether the PII stored on the server had been accessed or compromised during the breach.”
As with several other federal and state regulators, the SEC increasingly has begun to assert authority over companies’ data security practices. In so doing with respect to brokers, dealers, investment companies, and investment advisers registered with the SEC (“registered entities”), the SEC has relied on its authority under Sections 501, 504, and 505 of the Gramm-Leach-Bliley Act of 1999, which requires the SEC to establish standards for select financial institutions relating to data safeguards. Pursuant to these sections, the SEC promulgated Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)), which provides:
Every broker, dealer, and investment company, and every investment adviser registered with the Commission must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to:
(1) Insure the security and confidentiality of customer records and information;
(2) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
(3) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The SEC previously has noted that “[b]ecause funds and advisers are varied in their operations, they should tailor their compliance programs based on the nature and scope of their businesses.”3 As data breaches and enforcement actions continue to occur, however, the SEC may develop an implicit baseline of minimal policies. The SEC’s settlement order with R.T. Jones is instructive in this regard.
The SEC found that R.T. Jones failed to adopt “written policies and procedures regarding the security and confidentiality of [sensitive client] information and the protection of that information from anticipated threats or unauthorized access.” Specifically, the SEC noted that R.T. Jones’s policies did not include: (i) conducting periodic risk assessments; (ii) employing a firewall to protect the web server containing client PII; (iii) encrypting client PII stored on that server; or (iv) establishing procedures for responding to a cybersecurity incident. Based on this conduct, the SEC concluded that “R.T. Jones willfully violated Rule 30(a).
In the Matter of R.T. Jones Capital Equities Management, Inc. illustrates the SEC’s intention to enforce its data safeguard regulations against registered investment advisers that lack a minimum of reasonable policies and procedures in core areas. The SEC order enumerated several policy and procedure failures by R.T. Jones. Registered entities should consider developing or modifying policies in these areas:
- conducting regular cybersecurity risk assessments;
- using firewalls and encryption to protect client PII; and
- establishing specific procedures for responding to data breaches and other cyber incidents.
The above policies are consistent with guidance the SEC released in April 2015 regarding cybersecurity measures for registered investment companies and advisers. In light of the fact that the SEC settlement order with R.T. Jones closely tracks the SEC’s prior guidance on cybersecurity, registered entities should consider whether the cybersecurity measures identified in the Guidance or other measures would be appropriate. (For more information on the SEC’s cybersecurity guidance, please see Sullivan & Cromwell LLP, SEC’s Division of Investment Management Releases Cybersecurity Guidance (April 30, 2015), available at https://www.sullcrom.com/secs-division-of-investment-management-releases-cybersecurityguidance-guidance.)
It also bears mention that the SEC expressly noted that “[i]n determining to accept R.T. Jones’s Offer, the Commission considered the remedial acts promptly undertaken by R.T. Jones and the cooperation R.T. Jones afforded the Commission staff.” R.T. Jones undertook several remedial actions including: (i) providing prompt notice of the breach to all individuals whose PII may have been compromised, and offering them free identity monitoring through a third-party provider; (ii) the appointment of an information security manager to oversee data security and protection of PII; (iii) the adoption and implementation of a written information security policy; (iv) the discontinuation of storage of PII on R.T. Jones’s web server; (v) the encryption of PII stored on R.T. Jones’s internal network; (vi) the installation of a new firewall and logging system to prevent and detect malicious incursions; and (vii) the retention of a cybersecurity firm to provide ongoing reports and advice on the firm’s information technology security. Registered entities confronting a potential data breach should consider whether any of the above forms of remediation are appropriate to their situation.