SEC Settles Charges Against Investment Advisor Over Cybersecurity Policies | Practical Law

SEC Settles Charges Against Investment Advisor Over Cybersecurity Policies | Practical Law

The SEC announced it has agreed to settle charges that an investment advisor failed to adopt cybersecurity policies and procedures before it suffered a data security breach that compromised approximately 100,000 individuals' personally-identifiable information.

SEC Settles Charges Against Investment Advisor Over Cybersecurity Policies

Practical Law Legal Update 0-618-9793 (Approx. 3 pages)

SEC Settles Charges Against Investment Advisor Over Cybersecurity Policies

by Practical Law Intellectual Property & Technology
Published on 25 Sep 2015USA (National/Federal)
The SEC announced it has agreed to settle charges that an investment advisor failed to adopt cybersecurity policies and procedures before it suffered a data security breach that compromised approximately 100,000 individuals' personally-identifiable information.
On September 22, 2015, the SEC announced it has settled proceedings brought against investment advisor R.T. Jones Capital Equities Management Inc., for allegedly failing to establish cybersecurity policies and procedures in advance of a 2013 data breach in violation of Regulation S-P, the Safeguards Rule (In re R.T. Jones Capital Equities Management, Inc., File No 3-16827, Release No. 4204 (S.E.C. Sept. 22, 2015)).
According to the settlement order, R.T. Jones:
  • Required prospective clients to log on to its website using their name, date of birth and Social Security number to determine whether the clients were eligible participants in a particular retirement plan.
  • Stored more than 100,000 prospective clients' personal information without modifying or encrypting on a third-party hosted web server.
  • Discovered a potential cybersecurity breach resulting from a cyber attack that was launched from multiple IP addresses originating from China.
  • Provided notice of the breach to all individuals whose personal information may have been compromised and offered them free identity monitoring services through a third-party provider.
The Safeguards Rule requires all registered investment advisors to adopt policies and procedures that:
  • Ensure the security and confidentiality of customer records and information.
  • Protect against:
    • anticipated threats or hazards to the security or integrity of customer records; and
    • unauthorized access to or use of customer records that could result in substantial harm or inconvenience to any customer.
(17 C.F.R. § 248.30(a).)
The SEC alleged that R.T. Jones failed to adopt any written policies or procedures that complied with the Safeguards Rule. In accordance with the settlement agreement, R.T. Jones has agreed to take the following steps to mitigate against future risk of cyber threats:
  • Appoint an information security manager to oversee data security and protection of personal information.
  • Adopt and implement a written information security policy.
  • Refrain from storing personal information on its web server.
  • Encrypt any personal information stored on its internal network.
  • Install a new firewall and logging system to prevent and detect malicious cyber attack attempts.
  • Retain a cybersecurity firm to provide ongoing reports and advice on the firm's information technology security.
R.T. Jones will also pay a $75,000 penalty to the SEC.