The Securities and Exchange Commission (SEC) announced that R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, has agreed to settle charges that it failed to establish cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients. Without admitting or denying the findings, R.T. Jones agreed to cease and desist from committing or causing any future violations of Rule 30(a) of Regulation S-P and also agreed to be censured and pay a $75,000 penalty.
An SEC investigation of the breach found that R.T. Jones Capital Equities Management violated this “safeguards rule” during a nearly four-year period when it failed to adopt any written policies and procedures to ensure the security and confidentiality of PII and protect it from anticipated threats or unauthorized access. According to the SEC’s order instituting a settled administrative proceeding, the firm’s web server was attacked in July 2013 by an unknown hacker who gained access and copy rights to the data on the server, rendering the PII vulnerable to theft. With respect to the lack of procedures, the SEC noted that R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.
Ironically, after R.T. Jones discovered the breach, the firm promptly retained more than one cybersecurity consulting firm to confirm the attack, which was traced to China, and determine the scope of the breach, provided notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring through a third-party provider. Additionally, to date the firm has not received any indications of a client suffering financial harm as a result of the cyberattack.
It is clear that the SEC’s action was meant to send a strong message to the financial industry. Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit noted that “As we see an increasing barrage of cyberattacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients … firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
The clear takeaway for the financial industry is that while both periodic risk assessments and firewall are becoming the norm, it is time for firms to look beyond that and address encryption of PII on servers and the development of response plans to address the action plan in the event of a breach.