The Securities and Exchange Commission (“SEC”) has sanctioned an investment adviser and fined it $75,000 for failing to “adopt written policies and procedures reasonably designed to protect customer records and information.” The SEC alleges that this failure, which was a violation of its Safeguards Rule, contributed to a cyber attack against the investment adviser that put the sensitive personally identifiable information (“PII”) of more than 100,000 individuals at risk. The Safeguards Rule, part of the SEC’s Regulation S-P, requires brokers, dealers, investment companies, and registered investment advisers to, among other things, “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”
Specifically, on September 22, 2015, the SEC issued an Order imposing remedial sanctions and a cease-and-desist order against R.T. Jones Capital Equities Management, Inc. R.T. Jones manages approximately 8400 accounts and approximately $480 million in assets under management. One of the services R.T. Jones offers, which is the subject of the SEC action, is to provide customers that are participants in certain retirement plans with recommendations for investment portfolio allocations based on a questionnaire on R.T. Jones’ website. Although R.T. Jones provided this service to less than 8,000 plan participants, it maintained a database of more than 100,000 individuals’ PII (including social security numbers, names, and dates of birth), which was used to verify that individuals seeking this service were indeed members of the plan.
Between at least September 2009 and July 2013, the SEC alleges that R.T. Jones stored the database containing PII unencrypted on a third-party hosted web server. In July 2013, R.T. Jones discovered that the web server had been breached and engaged two forensic investigators to determine the scope of the incident. Ultimately, although an intrusion was confirmed, the investigators were unable to determine whether the PII stored on the server had been accessed, acquired, or otherwise compromised during the attack. (Notably, this was attributed to the fact that the intruder had destroyed the logs associated with his or her activities.) R.T. Jones opted to notify the affected individuals of the incident nonetheless. The SEC states that “[t]o date, the firm has not learned of any information indicating that a client has suffered any financial harm as a result of the cyber attack.” The SEC does not address whether the other plan participants affected by the incident who were not clients of R.T. Jones were harmed financially. Indeed, it remains to be seen whether another regulator will take action against the plans themselves, which provided R.T. Jones with a full database of plan participants’ sensitive information, well beyond the 8,000 individuals managed by the firm, while failing to ensure that adequate protections were used to protect such data.
During the time that the database was hosted unencrypted on R.T. Jones’ webserver, the SEC alleges that the firm failed to adopt “any written policies and procedures reasonably designed to safeguard its clients’ PII as required by the Safeguards Rule.” Notably, the SEC lists as examples of policies and procedures that R.T. Jones did not have in place: “conducting periodic risk assessments, employing a firewall to protect the web server containing client PII, encrypting client PII stored on that server, or establishing procedures for responding to a cybersecurity incident.” SEC-regulated entities should therefore be sure to consider these practices in their own information security policies and procedures, as necessary, in addition to those covered in the SEC Office of Compliance Inspections and Examinations’ recent Risk Alert and its Cybersecurity Examination Sweep Summary from earlier this year.
The SEC notes that R.T. Jones has, since the cyber attack against it:
- appointed an information security manager to oversee data security and protection of PII;
- adopted and implemented a written information security policy;
- discontinued the storage of PII on its webserver (and any PII stored on its internal network is encrypted);
- installed a new firewall and logging system to prevent and detect malicious incursions; and
- retained a cybersecurity firm to provide ongoing reports and advice on the firm’s information technology security.
Nonetheless, the Commission sanctioned the firm an additional $75,000, noting that it “considered the remedial acts promptly undertaken by R.T. Jones and the cooperation R.T. Jones afforded the Commission staff” in determining the appropriate penalties. (The remedial actions taken by R.T. Jones may also be regarded as potential guidance for SEC-regulated entities.)
While this enforcement is by no means the first under Regulation S-P against an investment advisor or company for failing to have a written information security program in place, it may mark a shift in the enforcement strategy at the SEC. In a press release announcing the public administrative and cease-and-desist proceedings against R.T. Jones, Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit stated: “As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients.” This appears to indicate the SEC’s intent to enforce the Safeguards Rule regardless of whether clients of financial institutions are adversely affected. In other words, the SEC may intend to step up its enforcement of Regulation S-P based on the risk of harm to investors, rather than actual harm. Such a strategy is consistent with this proceeding, in which the investment adviser’s alleged security failings were particularly egregious.