As our last newsletter highlighted, the government is ramping up enforcement investigations against both regulated entities and public companies for perceived cybersecurity failures. Proving the point, on September 22, 2015, the SEC announced its first-ever cybersecurity enforcement action. The SEC alleged that registered investment adviser R.T. Jones Capital Equities Management failed to establish cybersecurity policies and procedures reasonably designed to safeguard customer information, as required by Rule 30(a) of Regulation S-P under the Securities Act of 1933. The SEC found that the firm failed to conduct periodic risk assessment, implement a firewall, or encrypt sensitive customer information prior to a data breach that compromised the personal information of approximately 100,000 individuals, including many of the firm’s clients. Without admitting or denying the SEC’s findings, the firm agreed to be censured and pay $75,000 penalty to settle the matter.
The SEC has been messaging for some time that it would bring an enforcement case against a regulated entity for violation of the specific cybersecurity rules in Regulation S-P, and similar actions are likely to follow shortly. In the wake of the R.T. Jones announcement, SEC Chair Mary Jo White warned “it is incumbent upon private fund advisors and other regulated entities to employ robust, state-of-the-art plans to prevent, detect, and respond” to cybersecurity risks. And while public companies are not subject to Regulation S-P or any specific SEC rules about their cybersecurity practices, the SEC has signaled that it is closely examining the accuracy and completeness of public company disclosures about their cyber policies and risks to the business from a cyber incident, as well as disclosures following a cyber breach.
The Bottom Line: Expect additional SEC scrutiny of cyber policies and practices of both regulated entities and of public company issuers.