SEC Announces First Cybersecurity Enforcement Action Against an Investment Adviser for Failure to Protect Client Data

Bracewell LLP

On September 22, 2015, the Securities and Exchange Commission (SEC) announced its first cybersecurity-related enforcement action against an investment adviser for failure to protect customer records and information. According to the settlement, R.T. Jones Capital Equities Management, Inc. (R.T. Jones) failed to adopt written policies and procedures reasonably designed to protect customer records and information, in violation of Rule 30(a) of Regulation S-P (Safeguards Rule).

The Safeguards Rule requires registered investment advisers to adopt written policies and procedures reasonably designed to maintain the confidentiality and security of customer information, anticipate and defend against threats to the security of such information, and protect customers from harm or inconvenience as a result of unauthorized access to customer information.

R.T. Jones, a St. Louis-based investment adviser with $480 million in assets under management, stored the personal identifying information (PII) of clients, prospective clients, and eligible plan participants on a third party-hosted web server.  R.T. Jones had fewer than 8,000 plan participants, but the server housed the PII of over 100,000 individuals. Access to the PII was limited to two individual administrators.

In 2013, R.T. Jones detected a cybersecurity breach and retained multiple cybersecurity consulting firms to assess the scope of the breach. To date, R.T. Jones has not identified any client who has suffered any financial harm as a result of the cyberattack.

In response to the breach, R.T. Jones undertook a number of remedial actions, including adopting written polices, appointing an information security manager, and removing PII from its webserver. While these efforts were considered by the SEC in the settlement process, the SEC ultimately censured the firm and assessed a civil penalty of $75,000.

The focus of the SEC in R.T. Jones was primarily on the inadequacy of the firm’s written policies and procedures for protecting customer information and not on the firm’s remedial response measures and the level of actual harm.

The full text of the R.T. Jones settlement is available here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bracewell LLP | Attorney Advertising

Written by:

Bracewell LLP

Bracewell LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.