On September 22, the Securities and Exchange Commission (SEC) announced that it had entered into a settlement order with R.T. Jones Capital Equities Management, Inc., a St. Louis-based registered investment adviser, over the firm’s failure to establish cybersecurity policies and procedures to protect sensitive client information. This investigation and settlement are the latest in the Commission’s ongoing efforts to ensure that investment advisers establish and maintain cybersecurity safeguards.
Under Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)), commonly known as the “Safeguards Rule,” registered investment advisers like R.T. Jones must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These policies and procedures must be reasonably designed to ensure security and confidentiality of such records, protect against anticipated threats to the security of customer information, and guard against unauthorized access.
R.T. Jones has 8,400 client accounts and about $480 million in regulatory assets under management. According to the settlement order, from September 2009 to July 2013, R.T. Jones stored sensitive, personally identifiable information about clients on a third-party-hosted web server without taking adequate steps to encrypt the data. The order further noted that R.T. Jones failed to adopt written policies and procedures to safeguard that information, as required by the Safeguards Rule.
In July 2013, the firm’s server was hacked by an unauthorized intruder. The intruder gained full access to the data on the server, compromising the personally identifiable information of approximately 100,000 individuals.
Following an investigation, the SEC concluded that R.T. Jones had violated the Safeguards Rule by failing to adopt written policies and procedures designed to protect customer information. The Commission also specifically faulted R.T. Jones for not conducting periodic risk assessments to detect weaknesses in its systems, failing to implement firewalls, neglecting to encrypt data on its server, and having no response plan for cybersecurity incidents.
As noted in the SEC’s order, R.T. Jones did several things correctly afterthe breach occurred. Once the company discovered the breach, it promptly retained cybersecurity consulting firms to confirm the attack and determine the scope of the breach. R.T. Jones then provided notice of the breach to every individual whose information might have been compromised, and offered free identity theft monitoring through a third-party provider. According to the order, R.T. Jones has not received any indication that any individual has actually suffered financial harm as a result of the breach.
Despite these remedial steps, however, the SEC determined that R.T. Jones’s failure to adopt reasonable written cybersecurity policies and procedures before the breach constituted a willful violation of Rule 30(a) of Regulation S-P. Under the terms of the settlement, R.T. Jones has agreed to pay a $75,000 penalty and accepted a censure from the Commission. It also has agreed to cease from committing or causing any violations of Regulation S-P, to appoint an information security manager, to implement structural changes to safeguard customer information, and to adopt and implement a written information security policy.
As SEC Chairwoman Mary Jo White indicated earlier this summer, and as the Commission announced in its 2015 Examination Priorities in January, cybersecurity remains a key focus for the agency. The R.T. Jones settlement underscores the SEC’s continued emphasis on ensuring that registered investment advisers maintain adequate cybersecurity policies and procedures to protect sensitive personal information. With theupcoming second round of cybersecurity examinations, registered investment advisors should be aware of the Commission’s ongoing focus on cybersecurity issues and should ensure that their policies and practices comply with the Commission’s instructions.