SEC Brings Enforcement Action Against Investment Adviser

Jason Daniel, Natasha Kohne, Prakash Mehta, Eliot Raffkind, Michelle Reed, Stephen Vine
Akin Gump Strauss Hauer & Feld LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Just one week after the Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations issued a new risk alert on cybersecurity, the SEC brought an enforcement action against an investment adviser under Regulation S-P for its “failure to adopt policies reasonably designed to protect customer records and information.” Although there is no evidence that any client suffered financial harm, the investment adviser settled for $75,000. 

The investment adviser, RT Jones Capital Equities Management, Inc. (“RT Jones”), offered advisory services to participants in a benefit plan. In order to enroll in the services offered by RT Jones, the plan participants would go to a third-party-hosted server and enter their personally identifiable information, such as social security number, name and date of birth to verify their identity. RT Jones later discovered a breach on the third-party server. Although RT Jones had only about 8,400 customers, the data of more than 100,000 individuals who applied to be plan participants was stored on the third-party server. After a forensic investigation, it was unclear whether the personally identifiable information of the 100,000 plan participants was accessed or compromised, and RT Jones has not yet heard of any information indicating that a client has suffered any financial harm.

Despite this lack of clear harm to RT Jones’ clients, the SEC brought an enforcement action under Rule 30 of Regulation S-P for failure to implement safeguards designed to protect personally identifiable information. In particular, the SEC focused on the failure to:

  • conduct periodic risk assessments
  • implement a firewall
  • encrypt the personally identifiable information or
  • adopt a cybersecurity incident response plan.

In determining the penalty, the SEC noted RT Jones’ subsequent remedial efforts, including adopting a cybersecurity policy, ceasing to store personally identifiable information on its webserver and encrypting of its personally identifiable information in its internal network.

The enforcement action against RT Jones is likely a preview of future SEC enforcement against investment advisers and broker dealers. Firms should carefully construct cybersecurity policies and procedures, and review cybersecurity practices to ensure that information security measures are consistent with the emerging standard of care to be enforced by the SEC.

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akin Gump Strauss Hauer & Feld LLP | Attorney Advertising

Written by:

Akin Gump Strauss Hauer & Feld LLP
Akin Gump Strauss Hauer & Feld LLP
Contact
more
less

Akin Gump Strauss Hauer & Feld LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide