A St. Louis-based investment adviser has settled SEC charges that it lacked an adequate cybersecurity plan before a data breach that compromised personal information of about 100,000 individuals, including thousands of the firm’s clients.
The federal securities laws require registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information.
An SEC investigation found that R.T. Jones Capital Equities Management violated this “safeguards rule.” For four years, the firm “failed to adopt any written policies and procedures to ensure the security and confidentiality of PII [personally identifiable information] and protect it from anticipated threats or unauthorized access,” the SEC said.
The SEC settled the enforcement action through an administrative order and didn’t go to court.
R.T. Jones agreed to be censured and pay a $75,000 penalty.
According to the SEC’s administrative order, the firm stored sensitive PII of clients and others on a third-party server from late 2009 to mid 2013.
The server was attacked and breached in July 2013 by an unknown hacker traced to China.
R.T. Jones didn’t have a written cybersecurity policy and had failed “to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents,” the SEC said.
After discovering the breach, R.T. Jones retained cybersecurity consults to confirm the attack and determine the scope. It then notified every individual whose PII may have been compromised and offered free identity theft monitoring through a third-party provider.
“To date,” the SEC said, “the firm has not received any indications of a client suffering financial harm as a result of the cyber attack.”
Marshall Sprung of the SEC enforcement division said, “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
The SEC’s order found that R.T. Jones violated Rule 30(a) of Regulation S-P under the Securities Act of 1933 (Privacy of Consumer Financial Information).
R.T. Jones settled with the SEC without admitting or denying the findings.
* * *
The SEC’s administrative order In the Matter of R.T. Jones Capital Equities Management, Inc., Investment Advisors Act of 1940 Release No. 4204 and Administrative Proceeding File No. 3-16827 (September 22, 2015) are here (pdf).
Richard L. Cassin is the publisher and editor of the FCPA Blog. He can be contacted here.