Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000. This Sidley Update was originally published as a blog post on Data Matters, Sidley’s Privacy, Data Security and Information Law blog. Interested parties can sign up for email alerts that will notify them when new posts are added to the blog. OCTOBER 2, 2015 SIDLEY UPDATE Investment Adviser Charged by SEC for Failing to Adopt Proper Cybersecurity Policies On September 22, 2015, the Securities and Exchange Commission (SEC) announced that R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, settled charges with the SEC for failing to establish cybersecurity policies and procedures as required by the SEC’s safeguards rule. In July 2013, R.T. Jones was the victim of a cybersecurity breach that exposed the personally identifiable information (PII) of approximately 100,000 individuals, including firm clients. Although the firm promptly provided notice of the breach to all affected individuals and retained cybersecurity consultants to trace the attack, the firm’s prompt response did not—according to the SEC—make up for its alleged failure to adopt written cybersecurity policies and procedures in the four years prior to the attack. Significantly, the SEC took action here “to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” said Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit. Sprung noted that “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” On the same day the SEC announced this enforcement action, the agency also issued an “Investor Alert” on “Identity Theft, Data Breaches and Your Investment Accounts” to help investors safeguard their personal information. See http://www.sec.gov/oiea/investor-alertsbulletins/ia_databreaches.html. Under Rule 30(a) of Regulation S-P under the Securities Act, every broker, dealer and investment company, and every investment adviser registered with the SEC, must adopt written policies and procedures implementing administrative, technical and physical safeguards for the protection of customer records and information. These protections must: • Ensure the security and confidentiality of customer records and information; • Protect against any anticipated threats or hazards to the security or integrity of those records or information; and • Protect against unauthorized access to or use of those records or information that could result in substantial harm or inconvenience to any customer. SIDLEY UPDATE Page 2 The SEC order instituting a settled administrative hearing found that R.T. Jones failed to comply with the safeguards rule by failing entirely to adopt written policies and procedures designed to protect customer information. Additionally, the SEC found that R.T. Jones failed to conduct periodic cybersecurity risk assessments, encrypt PII stored on a third-party server, implement a firewall or maintain a response plan for potential cybersecurity incidents. In settling the enforcement action, the SEC credited the respondent’s cooperation and the following remedial efforts which had been promptly undertaken: • Appointment of an information security manager to oversee data security and protection of PII; • Adoption and implementation of a written information security policy; • Termination of storage of PII on the firm’s webserver; • Encryption of any PII stored on the firm’s internal network; • Installation of a new firewall and logging system to prevent and detect malicious incursions; and • Retention of a cybersecurity firm to provide ongoing reports and advice on the firm’s information technology security. The settlement included an agreement by R.T. Jones to pay US$75,000 and cease and desist from committing or causing any future violations of Rule 30(a). The SEC’s order is available at: http://www.sec.gov/litigation/admin/2015/ia-4204.pdf. This recent action comes quickly on the heels of the SEC’s Office of Compliance Inspections and Examinations Cybersecurity Risk Alert highlighting the SEC’s new cybersecurity initiative, making clear that the SEC can be expected to ask for documentation of a cybersecurity program during examination. For further information on this initiative, see http://datamatters.sidley.com/secs-ocie-cybersecurity-risk-alert-announces-cybersecurityexamination-initiative/. If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or Alan Charles Raul Partner +1 202 736 8477 email@example.com Edward R. McNicholas Partner +1 202 736 8010 firstname.lastname@example.org Colleen Theresa Brown Associate +1 202 736 8465 email@example.com Privacy, Data Security and Information Law Practice We offer clients an inter-disciplinary, international group of lawyers focusing on the complex national and international issues of data protection and cyber law. The group includes lawyers experienced in regulatory compliance, litigation, financial institutions, healthcare, EU regulation, IT licensing, marketing counsel, intellectual property and criminal issues. Sidley provides services in the following areas: Privacy and Consumer Protection Litigation, Enforcement and Regulatory Compliance Data Breach, Incident Response and Cybersecurity Advice, Response and Litigation Global Data Protection, International Data Transfer Solutions and Cross-Border Issues SIDLEY UPDATE Page 3 Corporate Data Protection, Compliance Programs and Information Governance Assessments FTC and State Attorney General Investigations of Unfair or Deceptive Acts and Practices Cloud Computing, Social Media, Online Advertising, Internet of Things, E-Commerce and Internet Issues EU, China, Japan, Singapore, Hong Kong and other International Data Protection and Compliance Counseling Gramm-Leach-Bliley and Financial Privacy HIPAA and Healthcare Privacy Communications Law and Data Protection Workplace Privacy and Employee Monitoring Website Policies, Online Trademarks and Domain Name Protection Records Retention, Electronic Discovery and Defensible Deletion Governmental Access and National Security Investment Funds Practice Sidley has a premier, global practice in structuring and advising investment funds and advisers. We advise clients in the formation and operation of all types of alternative investment vehicles, including hedge funds, fund-of-funds, commodity pools, venture capital and private equity funds, private real estate funds and other public and private pooled investment vehicles. We also represent clients with respect to more traditional investment funds, such as closed-end and open-end registered investment companies (i.e., mutual funds) and exchange-traded funds (ETFs). Our advice covers the broad scope of legal and compliance issues that are faced by funds and their boards, as well as investment advisers to funds and other investment products and accounts, under the laws and regulations of the various jurisdictions in which they may operate. In particular, we advise our clients regarding complex federal and state laws and regulations governing securities, commodities, funds and advisers, including the Dodd-Frank Act, the Investment Company Act of 1940, the Investment Advisers Act of 1940, the Securities Act of 1933, the Securities Exchange Act of 1934, the Commodity Exchange Act, the USA PATRIOT Act and comparable laws in non-U.S. jurisdictions. Our practice group consists of approximately 120 lawyers in New York, Chicago, London, Hong Kong, Singapore, Shanghai, Tokyo, Los Angeles and San Francisco. To receive Sidley Updates, please subscribe at www.sidley.com/subscribe. BEIJING ∙ BOSTON ∙ BRUSSELS ∙ CENTURY CITY ∙ CHICAGO ∙ DALLAS ∙ GENEVA ∙ HONG KONG ∙ HOUSTON ∙ LONDON LOS ANGELES ∙ NEW YORK ∙ PALO ALTO ∙ SAN FRANCISCO ∙ SHANGHAI ∙ SINGAPORE ∙ SYDNEY ∙ TOKYO ∙ WASHINGTON, D.C. Sidley Austin refers to Sidley Austin LLP and affiliated partnerships as explained at www.sidley.com/disclaimer. www.sidley.com
Register now for your free, tailored, daily legal newsfeed service.
Questions? Please contact firstname.lastname@example.orgRegister
Investment adviser charged by SEC for failing to adopt proper cybersecurity policies
To view this article you need a PDF viewer such as Adobe Reader.
Popular articles from this firm
If you would like to learn how Lexology can drive your content marketing strategy forward, please email email@example.com.
Related topic hubs
Chief Legal Adviser: Labour & Employment Law
Sasol Group of Companies
"Lexology is a very relevant and interesting resource for South African in-house lawyers. The newsfeeds are a good measure of a firm's expertise and offer an interesting insight into recent legal developments. I would highly recommend Lexology to colleagues."