On September 22, 2015, the Securities and Exchange Commission (SEC) announced that R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, settled charges with the SEC for failing to establish cybersecurity policies and procedures as required by the SEC’s safeguards rule. In July 2013, R.T. Jones was the victim of a cybersecurity breach that exposed the personally identifiable information (PII) of approximately 100,000 individuals, including firm clients. Although the firm promptly provided notice of the breach to all affected individuals and retained cybersecurity consultants to trace the attack, the firm’s prompt response did not—according to the SEC—make up for its alleged failure to adopt written cybersecurity policies and procedures in the four years prior to the attack.
Significantly, the SEC took action here “to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” said Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit. Sprung noted that “Firms must adopt written policies to protect their clients' private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” On the same day the SEC announced this enforcement action, the agency also issued an “Investor Alert” on “Identity Theft, Data Breaches and Your Investment Accounts” to help investors safeguard their personal information. See http://www.sec.gov/oiea/investor-alerts-bulletins/ia_databreaches.html.
Under Rule 30(a) of Regulation S-P under the Securities Act of 1933, every broker, dealer and investment company, and every investment adviser registered with the SEC, must adopt written policies and procedures implementing administrative, technical and physical safeguards for the protection of customer records and information. These protections must:
- Ensure the security and confidentiality of customer records and information;
- Protect against any anticipated threats or hazards to the security or integrity of those records or information; and
- Protect against unauthorized access to or use of those records or information that could result in substantial harm or inconvenience to any customer.
The SEC order instituting a settled administrative hearing found that R.T. Jones failed to comply with the safeguards rule by failing entirely to adopt written policies and procedures designed to protect customer information. Additionally, the SEC found that R.T. Jones failed to conduct periodic cybersecurity risk assessments, encrypt PII stored on a third-party server, implement a firewall or maintain a response plan for potential cybersecurity incidents.
In settling the enforcement action, the SEC credited the respondent’s cooperation and the following remedial efforts which had been promptly undertaken:
- Appointment of an information security manager to oversee data security and protection of PII;
- Adoption and implementation of a written information security policy;
- Termination of storage of PII on the firm’s webserver;
- Encryption of any PII stored on the firm’s internal network;
- Installation of a new firewall and logging system to prevent and detect malicious incursions; and
- Retention of a cybersecurity firm to provide ongoing reports and advice on the firm’s information technology security.
The settlement included an agreement by R.T. Jones to pay US$75,000 and cease and desist from committing or causing any future violations of Rule 30(a).
The SEC’s order is available at: http://www.sec.gov/litigation/admin/2015/ia-4204.pdf.
This recent action comes quickly on the heels of the SEC’s Office of Compliance Inspections and Examinations Cybersecurity Risk Alert highlighting the SEC’s new cybersecurity initiative, making clear that the SEC can be expected to ask for documentation of a cybersecurity program during examination. For further information on this initiative, see http://datamatters.sidley.com/secs-ocie-cybersecurity-risk-alert-announces-cybersecurity-examination-initiative/.
This Sidley Update was originally published as a blog post on Data Matters, Sidley’s Privacy, Data Security and Information Law blog.
Interested parties can sign up for email alerts that will notify them when new posts are added to the blog.
If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or
Alan Charles Raul
+1 202 736 8477
Colleen Theresa Brown
+1 202 736 8465
To receive Sidley Updates, please subscribe at www.sidley.com/subscribe.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.