Just one week after the Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations issued a new risk alert on cybersecurity, the SEC brought an enforcement action against an investment adviser under Regulation S-P for its “failure to adopt policies reasonably designed to protect customer records and information.” Although there is no evidence that any client suffered financial harm, the investment adviser settled for $75,000.
The investment adviser, RT Jones Capital Equities Management, Inc. (“RT Jones”), offered advisory services to participants in a benefit plan. In order to enroll in the services offered by RT Jones, the plan participants would go to a third-party-hosted server and enter their personally identifiable information, such as social security number, name and date of birth to verify their identity. RT Jones later discovered a breach on the third-party server. Although RT Jones had only about 8,400 customers, the data of more than 100,000 individuals who applied to be plan participants was stored on the third-party server. After a forensic investigation, it was unclear whether the personally identifiable information of the 100,000 plan participants was accessed or compromised, and RT Jones has not yet heard of any information indicating that a client has suffered any financial harm.
Despite this lack of clear harm to RT Jones’ clients, the SEC brought an enforcement action under Rule 30 of Regulation S-P for failure to implement safeguards designed to protect personally identifiable information. In particular, the SEC focused on the failure to:
- conduct periodic risk assessments
- implement a firewall
- encrypt the personally identifiable information or
- adopt a cybersecurity incident response plan.
In determining the penalty, the SEC noted RT Jones’ subsequent remedial efforts, including adopting a cybersecurity policy, ceasing to store personally identifiable information on its webserver and encrypting of its personally identifiable information in its internal network.
The enforcement action against RT Jones is likely a preview of future SEC enforcement against investment advisers and broker dealers. Firms should carefully construct cybersecurity policies and procedures, and review cybersecurity practices to ensure that information security measures are consistent with the emerging standard of care to be enforced by the SEC.