The Securities and Exchange Commission (SEC) slapped St. Louis-based investment adviser R.T. Jones Capital Equities Management with a $75,000 penalty in a settlement over the firm's failure to establish cybersecurity policies and procedures before a breach compromised personal information of 100,000 people.
An investigation by the SEC found that during a four-year period R.T. Jones failed to adhere to a “safeguards rule” which requires firms to “adopt written policies and procedures reasonably designed to protect customer records and information,” according to an agency release.
Instead, the commission said, R.T. Jones, which stored sensitive information on a third-party server, didn't conduct regular risk assessments, implement a firewall, adopt encryption or even create a plan to respond to cybersecurity incidents.
Once R.T. Jones discovered that a breach of the server had occurred in July 2013, exposing information on customers and others, it called in a cybersecurity company to confirm and investigate the attack, which was eventually tracked to China. The investment adviser also sent a breach notice to all those potentially affected and offered, as is standard, free identify theft monitoring.
While the SEC found no evidence that any of the firm's clients had been harmed financially in the attack, the commission said R.T. Jones violated a rule of the Securities Act of 1933.
“As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” Marshall S. Sprung, co-chief of the SEC Enforcement Division's Asset Management Unit, said in the release. “Firms must adopt written policies to protect their clients' private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
The SEC has been under increasing pressure from lawmakers and from within to drop the hammer on firms that fail to protect their clients against cyber intrusions.
SEC Commissioner Kara Stein recently told the Financial Times that the regulatory agency needed “to play a much more active role in trying to help companies better protect themselves against an increasing number of cyber security issues in a world in which we are all increasingly connected.”
The SEC's Office of Investor Education and Advocacy issued an alert aimed at encouraging investors take steps to protect themselves. Recommendations included contacting investment firms “immediately” if personal financial information has been stolen, changing online passwords, closing compromised accounts where prudent, using two-factor verification, monitoring accounts for suspicious activity and including a fraud alert in credit files.