Logo for print

SEC Announces First Cybersecurity Enforcement Action Against an Investment Adviser for Failure to Protect Client Data

Updates

On September 22, 2015, the Securities and Exchange Commission (SEC) announced its first cybersecurity-related enforcement action against an investment adviser for failure to protect customer records and information. According to the settlement, R.T. Jones Capital Equities Management, Inc. (R.T. Jones) failed to adopt written policies and procedures reasonably designed to protect customer records and information, in violation of Rule 30(a) of Regulation S-P (Safeguards Rule).

The Safeguards Rule requires registered investment advisers to adopt written policies and procedures reasonably designed to maintain the confidentiality and security of customer information, anticipate and defend against threats to the security of such information, and protect customers from harm or inconvenience as a result of unauthorized access to customer information.

R.T. Jones, a St. Louis-based investment adviser with $480 million in assets under management, stored the personal identifying information (PII) of clients, prospective clients, and eligible plan participants on a third party-hosted web server.  R.T. Jones had fewer than 8,000 plan participants, but the server housed the PII of over 100,000 individuals. Access to the PII was limited to two individual administrators.

In 2013, R.T. Jones detected a cybersecurity breach and retained multiple cybersecurity consulting firms to assess the scope of the breach. To date, R.T. Jones has not identified any client who has suffered any financial harm as a result of the cyberattack.

In response to the breach, R.T. Jones undertook a number of remedial actions, including adopting written polices, appointing an information security manager, and removing PII from its webserver. While these efforts were considered by the SEC in the settlement process, the SEC ultimately censured the firm and assessed a civil penalty of $75,000.

The focus of the SEC in R.T. Jones was primarily on the inadequacy of the firm’s written policies and procedures for protecting customer information and not on the firm’s remedial response measures and the level of actual harm.

The full text of the R.T. Jones settlement is available here.