The SEC’s ongoing battle against cybersecurity issues continued this week. On September 22, 2015, the SEC sanctioned registered investment adviser R.T. Jones Capital Equities Management, Inc. (“R.T. Jones”) for failing to adopt written policies and procedures reasonably designed to safeguard consumer information in violation of the SEC’s Safeguards Rule (Rule 30(a) of Regulation S-P). The matter arose in connection with a potential cyberattack of R.T Jones’ third-party hosted server, which the SEC alleged put at risk of possible unauthorized access the personally identifiable information (“PII”) of more than 100,000 individuals. The SEC alleged that the Safeguards Rule requires SEC registered investment advisers to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. According to the SEC’s Order Instituting Proceedings (“OIP”), R.T. Jones, through agreements with retirement plan administrators and sponsors, provides investment advice to individual plan participants through an internet based platform. The individual plan participants accessed this platform by first entering certain PII, including their name, date of birth and social security numbers. This PII was stored on a third-party-hosted web server in an unmodified or unencrypted manner. In 2013, R.T. Jones discovered a potential cybersecurity breach at the third-party-hosted web server and retained cyber security consultants to investigate the breach, which led to the discovery by one consultant of a cyber attack from IP addresses traced back to China. As a result, the SEC alleged, the “intruder” was allowed to get full access and copy rights to data stored on the server – which at that point was more than 100,000 individuals. Critically, however, it could not be determined whether the PII stored on the server had been accessed during the breach. Furthermore, R.T. .Jones notified all possible breach victims and offered the victims free identity monitoring services. Finally, there was no evidence that any of the victims suffered any financial harm as a result of the breach. The SEC cited the following deficiencies in alleging the R.T. Jones violation: Jones’s policies and procedures for protecting its clients’ information did not include, for example: conducting periodic risk assessments, employing a firewall to protect the web server containing client PII, encrypting client PII stored on that server, or establishing procedures for responding to a cybersecurity incident. As a result of the conduct, R.T. Jones was ordered to cease and desist from future violations of the Safeguards Rule, censured and ordered to pay a civil penalty of $75,000. The SEC’s OIP cited R.T. Jones’s remedial efforts designed to prevent a future violation, including:
- The appointment of an information security manager with responsibilities for overseeing data security and protection of PII,
- The adoption and implementation of a written information security policy.
- Changes in practices, including that the firm
- does not store PII on its web server and any PII stored on its internal network is encrypted
- has installed a new firewall and log-in system designed to prevent and detect cyberattacks
- has retained a cybersecurity firm to provide ongoing reports and advice on cybersecurity matters.
The SEC has made cybersecurity an emphasis of its regulatory exam process for some time and this case is further evidence that the SEC is willing to proceed with enforcement actions in circumstances it deems appropriate. This case provides an opportunity for registered entities to reassess and bolster, where necessary, their cybersecurity policies.