Sep 232015

Investment Adviser Charged by SEC for Failing to Adopt Proper Cybersecurity Policies

Alan Charles Raul, Edward R. McNicholas and Grady Nye
, , ,

On September 22, 2015, the SEC announced that R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, settled charges with the SEC for failing to establish cybersecurity policies and procedures as required by the SEC’s safeguards rule.  In July 2013, R.T. Jones was the victim of a cybersecurity breach that exposed the personally identifiable information (PII) of approximately 100,000 individuals, including firm clients.  Although the firm promptly provided notice of the breach to all affected individuals and retained cybersecurity consultants to trace the attack, the firm’s prompt response did not – according to the SEC – make up for its alleged failure to adopt written cybersecurity policies and procedures in the four years prior to the attack.

Significantly, the SEC took action here “to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” said Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit.  Sprung noted that “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”  On the same day the SEC announced this enforcement action, the agency also issued an “Investor Alert” on “Identity Theft, Data Breaches and Your Investment Accounts” to help investors safeguard their personal information.  See http://www.sec.gov/oiea/investor-alerts-bulletins/ia_databreaches.html.

Under Rule 30(a) of Regulation S-P under the Securities Act of 1933, every broker, dealer, and investment company, and every investment adviser registered with the SEC must adopt written policies and procedures implementing administrative, technical, and physical safeguards for the protection of customer records and information.  These protections must:

  • Ensure the security and confidentiality of customer records and information;
  • Protect against any anticipated threats or hazards to the security or integrity of those records or information; and
  • Protect against unauthorized access to or use of those records or information that could result in substantial harm or inconvenience to any customer.

The SEC order instituting a settled administrative hearing found that R.T. Jones failed to comply with the safeguards rule by failing entirely to adopt written policies and procedures designed to protect customer information.  Additionally, the SEC found that R.T. Jones failed to conduct periodic cybersecurity risk assessments, encrypt PII stored on a third-party server, implement a firewall, or maintain a response plan for potential cybersecurity incidents.

In settling the enforcement action, the SEC credited the respondent’s cooperation and the following remedial efforts which had been promptly undertaken:

  • Appointment of an information security manager to oversee data security and protection of PII;
  • Adoption and implementation of a written information security policy;
  • Termination of storage of PII on the firm’s webserver;
  • Encryption of any PII stored on the firm’s internal network;
  • Installation of a new firewall and logging system to prevent and detect malicious incursions; and
  • Retention of a cybersecurity firm to provide ongoing reports and advice on the firm’s information technology security.

The settlement included an agreement by R.T. Jones to pay $75,000 and cease and desist from committing or causing any future violations of Rule 30(a).

The SEC’s order may be found here: http://www.sec.gov/litigation/admin/2015/ia-4204.pdf

This recent action comes quickly on the heels of the SEC’s OCIE Cybersecurity Risk Alert highlighting the SEC’s new cybersecurity initiative, making clear that the SEC can be expected to ask for documentation of a cybersecurity program during examination.  For further information on this initiative, see http://datamatters.sidley.com/secs-ocie-cybersecurity-risk-alert-announces-cybersecurity-examination-initiative/

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Edward R. McNicholas

emcnicholas@sidley.com

Grady Nye

gnye@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

FINRA Issues 2023 Report on Its Examination and Risk Monitoring Program

On January 10, 2023, the Financial Industry Regulatory Authority (FINRA) published its 2023 Report on its Examination and Risk Monitoring Program (the Report).1 The 75-page Report includes four new topic areas for 2023: (1) manipulative trading, (2) fixed income — fair pricing, (3) fractional shares — reporting and order handling, and (4) Regulation SHO.

Unpacking Digital Data Laws Across Europe: Addressing the Digital Markets Act

The EU Digital Markets Act (DMA) is set to revolutionize the way in which so-called ‘Big Tech’ is regulated in the EU, shifting toward ex-ante rulemaking and away from traditional after-the-fact enforcement. The DMA imposes a stringent regulatory regime on large online platforms (so-called “gatekeepers”) and gives the European Commission (Commission) new enforcement powers, including an ability to impose severe fines and remedies for noncompliance.