The Securities and Exchange Commission Tuesday censured and fined a St. Louis-based investment advisor for not having cybersecurity policies and procedures in place to stop a breach of 100,000 individuals’ personal indentifiable information (PII), including thousands of the firm’s clients.
Without admitting or denying the SEC’s findings, R.T. Jones Capital Equities Management agreed to pay a $75,000 penalty to settle charges that it violated federal securities laws requiring RIAs to adopt written policies and procedures reasonably designed to protect customer records and information.
An SEC investigation found that R.T. Jones Capital Equities Management violated this “safeguards rule” during a nearly four-year period when it failed to adopt any written policies and procedures to ensure the security and confidentiality of PII and protect it from anticipated threats or unauthorized access.
The censure and fine for R.T. Jones Capital comes just days after the SEC released on Sept. 15 a set of questions for advisors and broker-dealers to answer regarding their cybersecurity preparedness, as the agency will begin soon to conduct its second round of cyber-related exams.
OCIE issued a Risk Alert to provide additional information on the areas of focus for the exam division’s second round of cyber exams, which the agency says will involve “more testing to assess implementation of firm procedures and controls.”
“As we see an increasing barrage of cyberattacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” said Marshall Sprung, co-chief of the SEC Enforcement Division’s Asset Management Unit, in a statement. “Firms must adopt written policies to protect their clients’ private information, and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
According to the SEC’s order against R.T Jones instituting a settled administrative proceeding, the firm stored sensitive PII of clients and others on its third party-hosted Web server from September 2009 to July 2013.
The server was attacked in July 2013 by an unknown hacker who gained access and copy rights to the data on the server, rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’ clients, vulnerable to theft.
The firm “failed entirely” to adopt written policies and procedures reasonably designed to safeguard customer information. For example, the SEC states that R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server or maintain a response plan for cybersecurity incidents.
After R.T. Jones discovered the breach, the firm promptly retained more than one cybersecurity consulting firm to confirm the attack, which was traced to China, and determined the scope.
Shortly after the incident, R.T. Jones provided notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring through a third-party provider.
To date, the SEC says the firm has not received any indications of a client suffering financial harm as a result of the cyberattack.
The SEC’s order finds that R.T. Jones violated Rule 30(a) of Regulation S-P under the Securities Act of 1933.
The SEC’s Office of Investor Education and Advocacy published Tuesday a new Investor Alert, “Identity Theft, Data Breaches, and Your Investment Accounts,” which offers steps for investors to take regarding their investment accounts if they become victims of identity theft or a data breach.
— Check out Where the Real Cybersecurity Risk Comes From on ThinkAdvisor.