Investment Adviser and SEC Agree to Settle Charges Arising out of Failure to Adopt Written Cybersecurity Policies Required by the Safeguards Rule

John Jackson
Jackson Walker
Contact
LinkedIn
Facebook
X
Send
Embed

The SEC charged investment adviser R.T. Jones with willfully violating the Safeguards Rule by failing to adopt written policies and procedures designed to protect customer records and information. The Safeguards Rule requires that investment advisers adopt, in writing, policies and procedures designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. To resolve these charges, R.T. Jones submitted an Offer of Settlement, which the SEC accepted.  

According to the SEC, from September 2009 through July 2013, R.T. Jones stored unencrypted, sensitive personally identifiable information ("PII") of clients and others on its third party-hosted web server.  In July 2013, the web server was allegedly hacked by an intruder who gained access to the PII of more than 100,000 individuals. 

After discovering the breach, R.T. Jones promptly retained multiple cybersecurity consulting firms.  One firm traced the attack to China, but none of the forensic firms were  able  to ascertain whether the files containing PII had been accessed during the breach.  R.T. Jones subsequently provided notice of the breach incident to the individuals whose PII might have been compromised and offered them credit monitoring.  None of R.T. Jones' clients reported that they suffered financial harm as a result of the attack.

Based on these facts, the SEC charged R.T. Jones with willfully failing to comply with the Safeguards Rule's requirement that it adopt written policies and procedures to safeguard customer information.

Once it learned about the breach, R.T. Jones took remedial steps to mitigate against future risks. It appointed an information security manager and adopted a written information security policy. PII is now stored on an internal network and is encrypted. R.T. Jones also  installed a new firewall and logging system, and has engaged a cybersecurity firm to provide reports and assessments. 

After considering R.T. Jones' conduct and its remedial efforts, the SEC accepted R.T. Jones' settlement offer and censured R.T. Jones, ordered it to cease and desist from committing future violations of the Safeguards Rule, and imposed a civil penalty in the amount of $75,000.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jackson Walker | Attorney Advertising

Written by:

Jackson Walker
Jackson Walker
Contact
more
less

Jackson Walker on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide