On September 22, 2015, the SEC announced that it had agreed to settle enforcement proceedings brought against an investment adviser, R.T. Jones Capital Equities Management, in connection with a cybersecurity breach that compromised the personally identifiable information (“PII”) of the firm’s clients. According to the SEC settlement order, the adviser stored PII on its third-party hosted web server, which was attacked in July 2013 by an unknown cyber-intruder. The intruder gained access and copy rights to the data on the server, compromising the PII of more than 100,000 individuals, including thousands of the adviser’s clients.
After the breach was discovered, the adviser hired cybersecurity consultants and the origin of the attack was traced to China. The adviser provided notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring through a third-party provider. As of the date of the settlement, the firm had not received any indications that clients suffered financial harm as a result of the data security breach.
In the settlement order, the SEC noted that the adviser provided advice to retirement plan participants through a managed account option administered by a retirement plan administrator and offered by various retirement plan sponsors. The managed account program included several strategies through model portfolios maintained by the adviser. After consulting with a participant, the adviser would recommend a model portfolio. If the participant agreed with the recommendation, the adviser provided trade instructions to the retirement plan administrator, which then effected the transactions. The adviser did not control or maintain client accounts or client account information. During the relevant period, in order to verify eligibility to enroll in the managed account program, the adviser required prospective clients to log on to its website using their name, date of birth and social security number. This information was then compared against the PII of eligible plan participants that was provided by the plan sponsors, and stored, without modification or encryption, on the adviser’s third party-hosted web server. According to the SEC, the plan sponsors provided the adviser with information about all of their plan participants, not just the participants that were interested in the managed account program. Although the adviser had fewer than 8,000 plan participants as clients, its web server contained the PII of over 100,000 individuals.
Under Rule 30(a) of Regulation S-P, every investment adviser is required to adopt policies and procedures reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. According to the settlement order, the adviser failed to adopt written policies and procedures reasonably designed to safeguard its clients’ PII, as required by Rule 30(a). The SEC noted that the adviser’s policies and procedures were not “reasonably designed” in that they did not include provisions for conducting periodic risk assessments, employing a firewall to protect the web server containing client PII, encrypting client PII stored on that server, or establishing procedures for responding to a cybersecurity incident.
While none of the adviser’s clients were shown to have suffered any harm, the adviser agreed to pay a civil monetary penalty of $75,000 as part of the settlement.