The SEC recently commenced a settled enforcement action against an investment adviser, R.T. Jones Capital Equities Management, Inc., for cybersecurity matters. Press reports indicate this is the first such case of its kind. R.T. Jones did not admit or deny the SEC’s findings.
These proceedings arose out of R.T. Jones’s failure to adopt written policies and procedures reasonably designed to protect customer records and information, in violation of Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)), which is referred to as the Safeguards Rule. From at least September 2009 through July 2013, R.T. Jones stored sensitive personally identifiable information, or PII, of clients and other persons on its third party-hosted web server without adopting written policies and procedures regarding the security and confidentiality of that information and the protection of that information from anticipated threats or unauthorized access. In July 2013, the firm’s web server was attacked by an unauthorized, unknown intruder, who gained access rights and copy rights to the data on the server. As a result of the attack, the PII of more than 100,000 individuals, including thousands of R.T. Jones’s clients, was rendered vulnerable to theft.
In July 2013, R.T. Jones discovered a potential cybersecurity breach at its third party-hosted web server. R.T. Jones promptly retained more than one cybersecurity consulting firm to confirm the attack and assess the scope of the breach. One of the forensic cybersecurity firms reported that the cyberattack had been launched from multiple IP addresses, all of which traced back to mainland China, and that the intruder had gained full access rights and copy rights to the data stored on the server. However, the cybersecurity firms could not determine the full nature or extent of the breach because the intruder had destroyed the log files surrounding the period of the intruder’s activity.
Soon thereafter, R.T. Jones retained another cybersecurity firm to review the initial report and independently assess the scope of the breach. Ultimately, the cybersecurity firms could not determine whether the PII stored on the server had been accessed or compromised during the breach.
Shortly after the breach incident, R.T. Jones provided notice of the breach to all of the individuals whose PII may have been compromised and offered them free identity monitoring through a third-party provider. To date, the firm has not learned of any information indicating that a client has suffered any financial harm as a result of the cyber attack.
The SEC found that R.T. Jones failed to adopt any written policies and procedures reasonably designed to safeguard its clients’ PII as required by the Safeguards Rule. According to the SEC, R.T. Jones’s policies and procedures for protecting its clients’ information did not include, for example: conducting periodic risk assessments, employing a firewall to protect the web server containing client PII, encrypting client PII stored on that server, or establishing procedures for responding to a cybersecurity incident. The SEC Order states that taken as a whole, R.T. Jones’s policies and procedures for protecting customer records and information were not reasonable to safeguard customer information.