On September 22, the Securities and Exchange Commission (“SEC”) announced an important cybersecurity enforcement action that has broad implications to registered investment advisers. In a Settlement Order, the SEC found R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, “willfully violated” the Safeguards Rule. From September 2009 through July 2013, the firm stored unencrypted, sensitive personally identifiable information (“PII”) of clients and others on its unencrypted, third party-hosted, web server.
In requiring that brokers-dealers, investment companies, and registered investment advisers guard against cybersecurity breaches, the SEC has relied on its authority under Sections 501, 504, and 505 of the Gramm-Leach-Bliley Act of 1999, to create the new regulations. The “Safeguard Rule” is Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)). Enforcement actions initiated by the SEC relating to computer security are often grounded in violations of the Safeguard Rule.
The rule provides:
Every broker, dealer, and investment company, and every investment adviser registered with the Commission must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to:
(1) Insure the security and confidentiality of customer records and information;
(2) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
(3) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
In April of this year, following the SEC cybersecurity Roundtable, the SEC released new data safeguard regulations including outlining what has come to be known as the Safeguard Rule. The new regulations post April 2015 guard against registered entities that lack a minimum of reasonable policies and procedures in the following: 1) governance and risk assessment 2) access rights and controls 3) data loss prevention 4) vendor management, and 5) training and incident response. Parker MacIntyre recently has released a set of blog entries relating to the SEC’s 2015 Cybersecurity initiatives.
The SEC published a Risk Alert in September of 2015 announcing that it would be performing a second round of cybersecurity examinations into the registered entities.
R.T. Jones Capital Equities Management offered a number of “model” investment portfolios to its clients via a managed account option called “Artesys.” R.T. Jones verified its clients’ eligibility to participate in the account option by asking them to log on to the Firm’s website and enter their names, dates of birth, and Social Security numbers. However, the Artesys plan sponsor provided R.T. Jones with information regarding the other plan participants to assist with the login verification process. As a result, the Firm possessed PII for approximately 100,000 individuals, some of whom were not enrolled in the Artesys option. R.T. Jones stored the data on an unencrypted third-party hosted server which was breached by a Chinese hacker.
In July 2013, the Firm discovered that this data had been compromised. Even though there had been no reported losses to R.T. Jones’ clients, and even though the Firm itself had been victimized by the breach, the SEC commenced an enforcement action. R.T. Jones Capital Equities Management decided to settle charges that the Firm failed to adequately protect personal information.
The SEC previously has noted that “funds and advisers are varied in their operations, they should tailor their compliance programs based on the nature and scope of their businesses.” The SEC Order found R.T. Jones failed to do the following: conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity failures. R.T. was found to have failed to adopt any written policies and procedures to ensure the security and confidentiality of PII and protect it from anticipated threats or unauthorized access. R.T. Jones took additional remedial steps to mitigate against future risks as the “cease and desist” Order by the SEC required. The specific remedial measures that were required included:
1) appointment of an information security manager
2) adoption of a written information security policy
3) PII is now stored on an internal network and is encrypted
4) R.T. Jones also installed a new firewall and logging system
5) R.T. Jones engaged a cybersecurity firm to provide reports and assessments.
To date, the firm has not received any indications of a client suffering financial harm as a result of the cyber-attack. “As we see an increasing barrage of cyber-attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” said Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit. “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
To mitigate the damage of this cybersecurity attack, R.T. Jones promptly retained more than one cybersecurity consulting firm to confirm the attack, determine its extent, provide notice of the breach to every individual who’s PII may have been compromised, and offer free identity theft monitoring through a third-party provider. These remedial measures were not sufficient to avoid liability under the Safeguard Act. In accordance with the SEC Order, R.T. Jones agreed to “cease and desist” and also agreed to pay a $75,000 penalty.
Parker MacIntyre provides legal and compliance services to investment advisers, broker dealers, registered representatives, hedge funds, and issuers of securities, among others. Our regulatory practice group assists financial service providers with complex issues that arise in the course of their business, including complying with federal and state cybersecurity laws and rules. Please visit our website for more information.