The SEC’s focus in the action was not on the manner of the firm’s responses to the breach or whether there was any actual harm, but predominantly on the adequacy of the firm’s written policies for safeguarding customer information and its cybersecurity vulnerabilities.
On September 22, the Securities and Exchange Commission (SEC) announced that it had settled charges brought against an investment adviser under the Safeguards Rule of Regulation S-P for failures to protect client data after the firm’s web server had been cyber-attacked. The announcement of the In the Matter of R. T. Jones Capital Equities Management, Inc. (R. T. Jones) settlement comes squarely on the heels of the Office of Compliance Inspections and Examinations’ (OCIE’s) “2015 Cybersecurity Examination Initiative” announced on September 15, and underscores the SEC’s focus on cybersecurity and cybersecurity enforcement.
The OCIE described its 2015 Cybersecurity Examination Initiative as being intended to “assess cybersecurity preparedness in the securities industry, including firms’ ability to protect broker-dealer customer and investment adviser client information.” In particular, the OCIE announcement highlighted examination findings on cybersecurity breaches related to weaknesses in basic controls and stated that examiners would focus on cybersecurity-related controls and the implementation of certain firm controls and compliance practices.
The Safeguards Rule requires registered investment advisers to adopt written policies and procedures reasonably designed to (1) ensure the security and confidentiality of customer records and information, (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information, and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. In R. T. Jones, the SEC alleged that the firm’s policies and procedures “taken as a whole” were not reasonably designed to safeguard customer information.
The cybersecurity incident that was the basis for the order in R. T. Jones (the Order) occurred in 2013 and involved a suspected Chinese hacker breaching a third-party-hosted web server that held data on clients of R. T. Jones. According to the SEC, the breach may have caused approximately 100,000 individuals, including “thousands” of R. T. Jones’s clients, to be “vulnerable to theft.” The SEC noted in its Order that the firm had no information indicating that any client suffered financial harm as a result of the cyber-attack and that R. T. Jones had promptly notified affected customers and engaged in a number of other remedial efforts. Nonetheless, R. T. Jones was fined $75,000 as part of an overall settlement for failure to adopt written policies and procedures reasonably designed to protect customer records and information, in violation of Rule 30(a) of Regulation S-P.
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.