Many in the investment advisory community are following the story of R.T. Jones Capital Equities Management, an investment advisor that, according to the Securities and Exchange Commission (SEC), suffered a hack exposing the personally identifiable information of "approximately 100,000 individuals, including thousands of the firm’s clients."*

The SEC recently announced a resolution with R.T. Jones that included: 

  • Advisor’s agreement to be censured by the SEC; 
  • Payment of a $75,000 penalty; 
  • Advisor’s agreement to cease and desist from violations of Rule 30(a) of Regulation S-P. 

In addition, R.T. Jones agreed to additional remedial measures, including appointing an information security manager, implementing a written information security policy, and taking steps to increase technical security. 

While 100% guaranteed information security is not possible, the SEC did not bring the action against R.T. Jones for failure to meet that 100% standard. Rather, the SEC cited R.T. Jones for allegedly failing to have in place more basic security measures. Among the matters the SEC pointed to were: 

  • "The firm failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information." 
  • R.T. Jones "failed to conduct periodic risk assessments…or maintain a response plan for cybersecurity incidents."