• SEC Charges Investment Adviser with Failure to Adopt Required Cybersecurity Policies Prior to Breach
  • September 28, 2015 | Authors: Eric A. Arnold; Mark D. Herlach; Clifford E. Kirsch; Michael B. Koffler; Susan S. Krawczyk
  • Law Firms: Sutherland Asbill & Brennan LLP - Washington Office ; Sutherland Asbill & Brennan LLP - New York Office ; Sutherland Asbill & Brennan LLP - Washington Office
  • On September 22, the Securities and Exchange Commission (SEC) announced that it had entered into a settlement order with R.T. Jones Capital Equities Management, Inc., a St. Louis-based SEC registered investment adviser, for failure to establish required cybersecurity policies and procedures in advance of a breach. As a result of the firm’s failure to adopt reasonable cybersecurity policies and procedures, the SEC found that R.T. Jones was unable to prevent data breaches that may have compromised the personally identifiable information of approximately 100,000 individuals, including thousands of R.T. Jones’ clients.

    Rule 30(a) of Regulation S-P under the Securities Act of 1933 requires SEC registered investment advisers, among others, to adopt written policies and procedures reasonably designed to protect client records and information and to ensure the security and confidentiality of such records. According to the SEC order, for nearly four years, R.T. Jones stored sensitive PII of clients and other individuals on its third-party-hosted web server without encryption and without adopting written policies and procedures regarding the security and confidentiality of that information. In July 2013, R.T. Jones discovered that its third-party-hosted web server was attacked by an unauthorized and unknown intruder traced back to mainland China that had gained full access rights and copyrights to the data on the server, thereby compromising the PII of more than 100,000 individuals and thousands of R.T. Jones’ clients.

    The SEC found that R.T. Jones’ Rule 30 policies and procedures did not include conducting periodic risk assessments, employing a firewall to protect the web server containing client PII, encrypting client PII stored on that server, or establishing procedures for responding to a cybersecurity incident. The SEC concluded that, taken as a whole, R.T. Jones’ policies and procedures for protecting client records and information were not reasonably designed to safeguard such information.

    The SEC noted in the order that once a potential cybersecurity breach was discovered at the third-party web server, R.T. Jones promptly retained more than one cybersecurity consulting firms to confirm the attack and assess its scope. It also sent notice of the breach to all individuals whose PII may have been compromised and offered them free identity monitoring through a third-party provider. Despite taking prompt remedial steps after the breach and cooperating with the SEC staff, the SEC deemed R.T. Jones’ failure to adopt reasonable written cybersecurity policies and procedures in advance of the breach to be a willful violation of Rule 30(a) of Regulation S-P.

    R.T. Jones agreed to cease future violations of Regulation S-P, to appoint an information security manager, to adopt and implement a written information security policy, and to pay a $75,000 penalty. Although no client of R.T. Jones has reported any financial harm due to the data breach, the SEC order signals the commission’s continued focus on ensuring that registered investment advisers maintain adequate cybersecurity policies and procedures that protect the sensitive personal information of clients.

    Finally, in connection with the SEC order against R.T. Jones, the SEC’s Office of Investor Education and Advocacy published a new Investor Alert, “Identity Theft, Data Breaches, and Your Investment Accounts.” The Investor Alert offers tips to investors on how to safeguard their personal financial information if they become victims of identity theft or a data breach.