Adviser Settles with SEC Over Defunct Cyber Risk Policy

The amount of cyber risk exposure in the financial services industry can be downright frightening to think about, but details of a recent settlement reached between the SEC and a St. Louis-based financial planner contain important lessons for retirement specialists assessing their own cybersecurity policies.

The Securities and Exchange Commission (SEC) confirmed a St. Louis-based investment adviser has agreed to settle charges that it failed to establish required cybersecurity policies and procedures.

According to SEC officials, the failures occurred in advance of a data breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including but not limited to thousands of the firm’s clients. An SEC investigation found that R.T. Jones Capital Equities Management violated basic safeguard rules during a nearly four-year period when it failed to adopt any written policies and procedures to reasonably ensure the security and confidentiality of sensitive client information and protect it from anticipated threats or unauthorized access.

According to the SEC’s order instituting a settled administrative proceeding, R.T. Jones stored sensitive PII of clients and others on its third party-hosted web server from September 2009 to July 2013. The firm’s web server was subsequently attacked in July 2013 by “an unknown hacker who gained access and copy rights to the data on the server,” rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’s clients, vulnerable to theft.

The specific failures cited in the settlement agreement are enlightening and suggest a lack of awareness or attention in following SEC’s required procedures. At a high level, R.T. Jones apparently failed to conduct any kind of periodic cyber risk assessments, implement a firewall, encrypt personally identifiable information stored on its server, or maintain a response plan for cybersecurity incidents.

There are all elements clearly called for by published SEC guidance, most recently through a compliance alert issued in April. That publication, which followed more extensive guidelines published in February, draws on a years-long effort by the SEC’s Office of Compliance Inspections and Examinations (OCIE) to improve the agency’s understanding of cyber risks in the investing industries. Among the key findings of the auditing effort, OCIE says, is that financial services firms appear more and more aware of the extensive cyber risk they face, but many are still unsure how to address a problem so potentially wide-reaching and dangerous to the health of their practices.

NEXT: No harm, but still a foul  

In a nod to the luckless R.T. Jones staff, SEC credits the firm with discovering the breach and promptly retaining “more than one cybersecurity consulting firm to confirm the attack, which was traced to China, and determining the scope.” Also to its credit, shortly after the incident, R.T. Jones proactively notified “every individual with PII that may have been compromised and offered free identity theft monitoring through a third-party provider.”

To date, the firm says it has not received any indications of a client suffering financial harm as a result of the cyber-attack, but this seems cool comfort indeed for SEC officials.

“As we see an increasing barrage of cyber-attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” says Marshall Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit. “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”

Specifically, the SEC charged R.T. Jones with violating “Rule 30(a) of Regulation S-P under the Securities Act of 1933.” Without admitting or denying the findings, R.T. Jones agreed to “cease and desist from committing or causing any future violations of Rule 30(a) of Regulation S-P.” The advisory firm also agreed to be censured and pay a $75,000 penalty.

Sprung points advisers and individuals with questions about data security to a new investor alert, “Identity Theft, Data Breaches, and Your Investment Accounts.” Available on the SEC’s website, the publication offers concrete steps for investors to take regarding their information and accounts if they become victims of identity theft or a data breach.