The Securities and Exchange Commission Tuesday censured and fined a St. Louis-based investment advisor for not having cybersecurity policies and procedures in place to stop a breach of 100,000 individuals’ personal indentifiable information (PII), including thousands of the firm’s clients.
Without admitting or denying the SEC’s findings, R.T. Jones Capital Equities Management agreed to pay a $75,000 penalty to settle charges that it violated federal securities laws requiring RIAs to adopt written policies and procedures reasonably designed to protect customer records and information.
An SEC investigation found that R.T. Jones Capital Equities Management violated this “safeguards rule” during a nearly four-year period when it failed to adopt any written policies and procedures to ensure the security and confidentiality of PII and protect it from anticipated threats or unauthorized access.
The censure and fine for R.T. Jones Capital comes just days after the SEC released on Sept. 15 a set of questions for advisors and broker-dealers to answer regarding their cybersecurity preparedness, as the agency will begin soon to conduct its second round of cyber-related exams.
OCIE issued a Risk Alert to provide additional information on the areas of focus for the exam division’s second round of cyber exams, which the agency says will involve “more testing to assess implementation of firm procedures and controls.”
“As we see an increasing barrage of cyberattacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” said Marshall Sprung, co-chief of the SEC Enforcement Division’s Asset Management Unit, in a statement. “Firms must adopt written policies to protect their clients’ private information, and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
According to the SEC’s order against R.T Jones instituting a settled administrative proceeding, the firm stored sensitive PII of clients and others on its third party-hosted Web server from September 2009 to July 2013.
The server was attacked in July 2013 by an unknown hacker who gained access and copy rights to the data on the server, rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’ clients, vulnerable to theft.