In September 2015, the SEC filed a settled enforcement action against R.T. Jones Capital Equities Management for the firm’s alleged failure to “establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.” The SEC stated at the time that the R.T Jones matter was its first against a regulated entity for a cybersecurity-related violation.
The SEC brought its new-age case against R.T. Jones pursuant to Rule 30(a) of Regulation S-P under the Securities Act of 1933, which lays out procedures regulated entities must follow to safeguard customer records and information. Financial Planning reports that in a webcast this week, SEC Enforcement Director Andrew Ceresney stated that other similar cybersecurity cases alleging violations of Regulation S-P are “coming down the pike.”
