Investment Adviser Sanctioned for Failing to Adopt Proper Cybersecurity Policies and Procedures

On September 22, 2015, the SEC announced that it had agreed to settle enforcement proceedings brought against an investment adviser, R.T. Jones Capital Equities Management, in connection with a cybersecurity breach that compromised the personally identifiable information (“PII”) of the firm’s clients. According to the SEC settlement order, the adviser stored PII on its third-party hosted web server, which was attacked in July 2013 by an unknown cyber-intruder. The intruder gained access and copy rights to the data on the server, compromising the PII of more than 100,000 individuals, including thousands of the adviser’s clients. 

After the breach was discovered, the adviser hired cybersecurity consultants and the origin of the attack was traced to China. The adviser provided notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring through a third-party provider. As of the date of the settlement, the firm had not received any indications that clients suffered financial harm as a result of the data security breach.

In the settlement order, the SEC noted that the adviser provided advice to retirement plan participants through a managed account option administered by a retirement plan administrator and offered by various retirement plan sponsors. The managed account program included several strategies through model portfolios maintained by the adviser. After consulting with a participant, the adviser would recommend a model portfolio. If the participant agreed with the recommendation, the adviser provided trade instructions to the retirement plan administrator, which then effected the transactions. The adviser did not control or maintain client accounts or client account information. During the relevant period, in order to verify eligibility to enroll in the managed account program, the adviser required prospective clients to log on to its website using their name, date of birth and social security number. This information was then compared against the PII of eligible plan participants that was provided by the plan sponsors, and stored, without modification or encryption, on the adviser’s third party-hosted web server. According to the SEC, the plan sponsors provided the adviser with information about all of their plan participants, not just the participants that were interested in the managed account program. Although the adviser had fewer than 8,000 plan participants as clients, its web server contained the PII of over 100,000 individuals.

Under Rule 30(a) of Regulation S-P, every investment adviser is required to adopt policies and procedures reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. According to the settlement order, the adviser failed to adopt written policies and procedures reasonably designed to safeguard its clients’ PII, as required by Rule 30(a). The SEC noted that the adviser’s policies and procedures were not “reasonably designed” in that they did not include provisions for conducting periodic risk assessments, employing a firewall to protect the web server containing client PII, encrypting client PII stored on that server, or establishing procedures for responding to a cybersecurity incident. 

While none of the adviser’s clients were shown to have suffered any harm, the adviser agreed to pay a civil monetary penalty of $75,000 as part of the settlement.

SEC Fines Investment Adviser for Custody Rule Violations

The SEC recently settled a case with Sands Brothers Asset Management LLC, an investment advisory firm (“Sands Brothers Asset Management”), as well as its two owners and its former CCO, for $1 million for repeatedly failing to provide investors with audited financial statements of the funds in a timely manner consistent with Rule 206(4)-2 under the Investment Advisers Act of 1940, as amended (the “Custody Rule”). 

In 2010, Sands Brothers and its co-owners were the subjects of an enforcement action for violations of the custody rule and agreed to settle the charges by paying a $60,000 penalty. In its recent release, the SEC noted that the co-owners “missed their opportunity to right a previous wrong and instead merely repeated their custody rule violations….”, resulting in more severe consequences.

In addition to the fine, the two owners will be suspended for a year from raising new funds, and they must have a compliance monitor for at least three years. Additionally, the former CCO agreed to pay a fine and will be suspended for one year from acting as a CCO or practicing as an attorney before the SEC. 

A copy of the SEC Press Release is available here. A copy of the SEC order against Sands Brothers Asset Management and its co-owners is available here, and a copy of the SEC order against the CCO is available here

Commissioners Gallagher and Piwowar Dissent on “Backtest” Requirements

Following the release of SEC Opinion In the Matter of Raymond J. Lucia Companies, Inc. and Raymond J. Lucia, Sr., Securities Exchange Act Release No. 75837 (Sept. 3, 2015), SEC Commissioners Gallagher and Piwowar released a forceful dissent, criticizing the majority for needless “rulemaking by opinion” with respect to its position against the use of assumed inflation rates, rather than actual historical rates, for backtests.

The case centered on a slideshow presentation used by the respondents to advertise a particular investment advisory approach. To illustrate the relative advantage of their approach—termed “Buckets of Money”—during a market decline, respondents made use of a backtest based on an actual 1973 bear market scenario. Despite using actual historical returns in this scenario, respondents used an assumed inflation rate of 3%, which was consistent with the assumed rate used for other scenarios. The majority took issue with this assumed inflation rate, finding the use of an historical backtest without the corresponding actual historical inflation rates to be fraudulent.

In contrast, the dissent stated that “[i]t is appropriate to use a consistent, assumed inflation rate when comparing the results among portfolios.” Commissioners Gallagher and Piwowar focused their reasoning on disclosure, finding that the test for fraud is objective and therefore based on the perspective of a reasonable investor. By that logic, clear disclosure of inflation rate assumptions used in backtests should be all that is required.

A copy of the SEC’s majority opinion is available here and the dissent is available here

Investment Adviser Pays $20 Million to Settle SEC Enforcement Action Alleging Non-Disclosure and Breach of Fiduciary Duty 

On August 10, 2015, the SEC settled enforcement proceedings brought against Guggenheim Partners Investment Management, LLC (“GPIM”), an investment adviser primarily to institutional clients, high net worth individuals and private funds, based on a breach of fiduciary duty and violations of the Advisers Act. The SEC order stated that that the SEC determined that GPIM breached its fiduciary duty by not disclosing that a GPIM senior executive received a $50 million loan from a client that allowed the executive to participate personally in a deal led by GPIM’s corporate parent. As a result of the loan, the SEC found that GPIM had a potential conflict of interest whereby GPIM might place the lending client’s interests over the interests of other clients. The SEC noted that GPIM did not disclose the loan when GPIM placed certain of its other clients in two transactions on different terms from the client who made the loan. The allegations included a number of additional violations of provisions of the Advisers Act, including the adviser’s failure to enforce its code of ethics with respect to recording the loan. In settlement of these alleged violations, GPIM agreed to pay a civil monetary penalty of $20 million.