The SEC brought an enforcement action against R.T. Jones Capital Equities Management, Inc., an investment adviser based in St. Louis, Missouri, for failing to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients. The SEC found that R.T. Jones violated Rule 30(a) of Regulation S-P under the Securities Act of 1933 during a nearly four-year period when it failed to adopt any written policies and procedures to ensure the security and confidentiality of PII and protect it from anticipated threats or unauthorized access.
According to the SEC, R.T. Jones stored sensitive PII of clients and others on its third party-hosted web server from September 2009 to July 2013. The firm’s web server was attacked in July 2013 by an unknown hacker who gained access and copy rights to the data on the server, rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’s clients, vulnerable to theft. The SEC stated that the firm failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information.
For example, R.T. Jones failed to:
- conduct periodic risk assessments,
- implement a firewall,
- encrypt PII stored on its server, or
- maintain a response plan for cybersecurity incidents.
After R.T. Jones discovered the breach, the firm promptly retained more than one cybersecurity consulting firm to confirm the attack, which was traced to China, and determine the scope. Shortly after the incident, R.T. Jones provided notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring through a third-party provider.
As of the date of the SEC order, the firm has not received any indications of a client suffering financial harm as a result of the cyber attack. R.T. Jones was censured and ordered to pay a $75,000 penalty.
Click https://www.sec.gov/litigation/admin/2015/ia-4204.pdf to access the enforcement action.