On September 22, 2015, the SEC announced that R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, settled charges with the SEC for failing to establish cybersecurity policies and procedures as required by the SEC’s safeguards rule. In July 2013, R.T. Jones was the victim of a cybersecurity breach that exposed the personally identifiable information (PII) of approximately 100,000 individuals, including firm clients. Although the firm promptly provided notice of the breach to all affected individuals and retained cybersecurity consultants to trace the attack, the firm’s prompt response did not – according to the SEC – make up for its alleged failure to adopt written cybersecurity policies and procedures in the four years prior to the attack.
Significantly, the SEC took action here “to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” said Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit. Sprung noted that “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” On the same day the SEC announced this enforcement action, the agency also issued an “Investor Alert” on “Identity Theft, Data Breaches and Your Investment Accounts” to help investors safeguard their personal information. See http://www.sec.gov/oiea/investor-alerts-bulletins/ia_databreaches.html.
Under Rule 30(a) of Regulation S-P under the Securities Act, every broker, dealer, and investment company, and every investment adviser registered with the SEC must adopt written policies and procedures implementing administrative, technical, and physical safeguards for the protection of customer records and information. These protections must:
Ensure the security and confidentiality of customer records and information;
- Protect against any anticipated threats or hazards to the security or integrity of those records or information; and
- Protect against unauthorized access to or use of those records or information that could result in substantial harm or inconvenience to any customer.
The SEC order instituting a settled administrative hearing found that R.T. Jones failed to comply with the safeguards rule by failing entirely to adopt written policies and procedures designed to protect customer information. Additionally, the SEC found that R.T. Jones failed to conduct periodic cybersecurity risk assessments, encrypt PII stored on a third-party server, implement a firewall, or maintain a response plan for potential cybersecurity incidents.
In settling the enforcement action, the SEC credited the respondent’s cooperation and the following remedial efforts which had been promptly undertaken:
- Appointment of an information security manager to oversee data security and protection of PII;
- Adoption and implementation of a written information security policy;
- Termination of storage of PII on the firm’s webserver;
- Encryption of any PII stored on the firm’s internal network;
- Installation of a new firewall and logging system to prevent and detect malicious incursions; and
- Retention of a cybersecurity firm to provide ongoing reports and advice on the firm’s information technology security.
The settlement included an agreement by R.T. Jones to pay $75,000 and cease and desist from committing or causing any future violations of Rule 30(a).
The SEC’s order may be found here: http://www.sec.gov/litigation/admin/2015/ia-4204.pdf
This recent action comes quickly on the heels of the SEC’s OCIE Cybersecurity Risk Alert highlighting the SEC’s new cybersecurity initiative, making clear that the SEC can be expected to ask for documentation of a cybersecurity program during examination.