In the Matter of R.T. Jones Capital Equities Management, Inc., SEC Administrative Proceeding No. 3-16827: SEC Enforces “Safeguards Rule” Against Investment Adviser for Failure to Adopt Written Policies and Procedures to Protect Customer Information from Cybersecurity Attacks
On 22 September 2015, the SEC reached a settlement with R.T. Jones Capital Equities Management, Inc. ("R.T. Jones") over the company's failure to maintain proper policies and procedures to protect customer information from a cyber-security attack. The SEC pursued this action even though there had not been any evidence of a client actually having suffered any financial harm from the cyber-attack and despite the fact that R.T. Jones took prompt action to try and remediate the threat.
R.T. Jones is an investment adviser registered with the SEC that offers investment advice to retirement plan participants based on a program that applies various investment profiles. Potential clients would provide personal information to R.T. Jones, which would determine their eligibility by comparing that information to the personally identifiable information that the company received from plan sponsors. R.T. Jones stored this personal information on a "third party-hosted web server without adopting written policies and procedures regarding the security and confidentiality of that information."
In July 2013, R.T. Jones found a possible cyber-security breach on its third-party hosted web server. R.T. Jones was found to have willfully violated Rule 30(a) of Regulation S-P, also known as the "Safeguards Rule," which the SEC explained "requires registered investment advisers to adopt written policies and procedures that are reasonably designed to safeguard customer records and information." The SEC noted in particular that R.T. Jones lacked policies and procedures for "conducting periodic risk assessments, employing a firewall to protect the web server containing client [personally identifiable information], encrypting [such information] stored on that server, or establishing procedures for responding to a cyber-security incident." While R.T. Jones neither admitted nor denied the SEC's findings, the SEC imposed several sanctions under the Investment Advisers Act, including a cease-and-desist order, censuring the company, and a civil penalty of $75,000.
Although there was no evidence of any clients suffering financial harm, and despite the fact that R.T. Jones took prompt remedial efforts and cooperated with the SEC, the SEC explained in its press release that "[a]s we see an increasing barrage of cyber-attacks on financial firms, it is important to enforce the safeguards rule even ... when there is no apparent financial harm to clients." The remediation efforts that R.T. Jones took following the breach, including the appointment of an information security manager, the implementation of a written information security policy that established a more secure data storage system, the retention of a cyber-security advisory firm, and free identity monitoring for individuals whose data was compromised, are useful examples of cyber-security measures that companies can take. This action was brought under the specific securities laws and regulations described above that apply to investment advisers, but all companies can take efforts to determine the particular cyber-security rules that apply based on the type of personal data they maintain and applicable rules and regulations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
