On September 22, 2015, the Securities and Exchange Commission (the “SEC”) issued a cease-anddesist order (the “Order”) and settled charges against St. Louis-based investment adviser R.T. Jones Capital Equities Management (“R.T. Jones”) for failing to establish required policies and procedures to safeguard customer information in violation of Rule 30(a) of Regulation S-P (“Rule 30(a)”) under the Securities Act of 1933.1
Rule 30(a) requires every broker, dealer, investment company and registered investment adviser to adopt written policies and procedures reasonably designed to ensure the security and confidentiality of customer information and to protect customer information from anticipated threats or unauthorized access. According to the Order, from at least September 2009 through July 2013, R.T. Jones stored personal information of its clients and other persons on its third party-hosted web server without adopting any such written policies and procedures. In July 2013, a hacker gained access to the data on R.T. Jones’ web server, rendering the personal information of more than 100,000 individuals vulnerable to theft. In response to the cyber attack, R.T. Jones notified each individual whose information was compromised.
The Order states that R.T. Jones had not received reports that the cyber attack had resulted in financial harm to any client. Nevertheless, the SEC’s press release quotes the Co-Chief of the SEC Enforcement Division’s Asset Management Unit, Marshall S. Sprung, saying, “As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients. Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” The Order specifically notes that R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt customer information stored on its server or maintain a response plan for cybersecurity incidents.
The Order’s emphasis on cybersecurity highlights the SEC’s heightened focus on the adoption and implementation of cybersecurity policies and procedures by registered investment advisers. In the past year and a half, the Office of Compliance Inspections and Examinations (“OCIE”) has published two Risk Alerts on cybersecurity2 and the SEC has published a guidance update on cybersecurity3 and hosted a Cybersecurity Roundtable. The most recent Risk Alert on cybersecurity, published by OCIE on September 15, 2015, announced OCIE’s intent to conduct a second cybersecurity sweep examination. The second cybersecurity sweep examination is expected to involve more information gathering and testing to assess implementation of firm cybersecurity procedures and other cybersecurity-related controls, and will focus on cybersecurity governance and risk assessment, access rights and controls, data loss prevention, vendor management, employee cybersecurity training and incident response.