Many in the investment advisory community are following the story of R.T. Jones Capital Equities Management, an investment advisor that, according to the Securities and Exchange Commission (SEC), suffered a hack exposing the personally identifiable information of "approximately 100,000 individuals, including thousands of the firm’s clients."*
The SEC recently announced a resolution with R.T. Jones that included:
- Advisor’s agreement to be censured by the SEC;
- Payment of a $75,000 penalty;
- Advisor’s agreement to cease and desist from violations of Rule 30(a) of Regulation S-P.
In addition, R.T. Jones agreed to additional remedial measures, including appointing an information security manager, implementing a written information security policy, and taking steps to increase technical security.
While 100% guaranteed information security is not possible, the SEC did not bring the action against R.T. Jones for failure to meet that 100% standard. Rather, the SEC cited R.T. Jones for allegedly failing to have in place more basic security measures. Among the matters the SEC pointed to were:
- "The firm failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information."
- R.T. Jones "failed to conduct periodic risk assessments…or maintain a response plan for cybersecurity incidents."