Recently, the SEC announced that R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, agreed to settle charges that it failed to establish the required cybersecurity policies and procedures before a data breach that compromised the personally identifiable information (PII) of approximately 100,000 people, including many clients. A copy of the order can be found here. The chain of events is an all too familiar story of a company ill prepared to face modern cybersecurity threats that learned a hard lesson.
Firm Maintains PII
The firm provided investment advice to retirement plan participants who input PII, including names, dates of birth and social security numbers, and financial information into the firm's web portal and received advice about their asset allocation. The firm did not control or maintain client accounts. The firm stored sensitive PII of clients and others on its third party-hosted web server for four years, with access limited to two persons who were administrators. Even though it managed only 8,400 accounts, it had PII for over 100,000 people.
Regulations Require Cybersecurity Plan
SEC Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30) requires registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information from anticipated threats or hazards or unauthorized access. (The same rule also requires investment advisers to adopt procedures for disposal of credit report information.)
Firm Fails to Adopt Plan
The SEC found R.T. Jones violated Rule 30(a) over a four-year period when it failed to adopt any written policies and procedures to ensure the security and confidentiality of PII. The firm also failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.
Firm Gets Hacked
The firm's web server was attacked in July 2013 by an unknown hacker, later traced to China, who gained access and copy rights to the data on the server, rendering the PII of more than 100,000 people, including thousands of clients, vulnerable to theft. The thieves deleted the database log files to cover their tracks.
Firm Spends Enormous Resources Investigating, Notifying Customers, and Being Investigated
After the breach was discovered the breach, the firm promptly retained two cybersecurity consulting firms to confirm the attack and determine its scope. The firm provided notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring through a third-party provider. To date, the firm had not received any indications of a client suffering financial harm as a result of the cyber-attack.
R.T. Jones agreed to a cease and desist order agreeing not to commit future violations of Rule 30(a) and paid a $75,000 monetary penalty. The firm also adopted a number of remedial efforts including: (a) appointing an information security manager to oversee data security; (b) no longer storing PII on its web server and instead storing it internally on an encrypted server; (c) installing a new firewall to detect intrusions; and (d) retaining a cybersecurity firm to provide ongoing reports and service. The monetary penalty the firm paid likely pales in comparison to the compliance costs associated with the cybersecurity investigation, data breach notification and SEC investigation. This was likely a lesson learned the hard way.
In announcing the settlement the SEC emphasized that financial firms are increasingly targets of cyber-attacks and, even in cases where there is no documented financial harm to clients, the SEC intends to increase its enforcement efforts to ensure financial firms are prepared. "Firms must adopt written policies to protect their clients' private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs," said Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit.
The SEC also published a new Investor Alert, "Identity Theft, Data Breaches, and Your Investment Accounts," available here. The alert offers steps for investors to take regarding their investment accounts if they become victims of identity theft or a data breach.
Companies -- especially those in highly-regulated industries or that handle PII or personal health information (PHI) -- should periodically undertake a "gap analysis" to ensure that appropriate data security and privacy policies, practices and procedures are in place, have been implemented effectively, and are being followed. These cybersecurity "checkups" can identify gaps even in well-established data security programs, as the nature and number of threats is constantly evolving. Adopting and maintaining a robust data security program built around the National Institute of Standards and Technology's (NIST) framework for improving critical infrastructure cybersecurity is a key consideration, and the guidance set forth in the NIST framework is widely viewed as establishing best practices even for organizations that are not critical infrastructure. Securing both legal and technical advice regarding how to implement effective controls, how to mitigate against the likelihood of a data breach, and how best to respond if one nevertheless occurs can help your organization avoid learning the hard lesson described above.