On Tuesday, the SEC announced that it had filed a settled enforcement action against R.T. Jones Capital Equities Management, an investment adviser. The enforcement action related to the firm's alleged failure to "establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients." Notably, the R.T Jones matter is the first enforcement action that the SEC has ever brought against a regulated entity for a cybersecurity-related violation.
According to the SEC, R.T. Jones failed over a four-year period to adopt written cybersecurity policies and procedures that were reasonably designed to protect customer records and information -- as required by the federal securities law. This failure was spotlighted when, after R.T. Jones stored sensitive PII of clients and others on its third party-hosted web server from September 2009 to July 2013, this server was "attacked in July 2013 by an unknown hacker who gained access and copy rights to the data on the server, rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’s clients, vulnerable to theft."
The SEC and R.T Jones settled the SEC's claim that R.T. Jones' conduct violated Rule 30(a) of Regulation S-P under the Securities Act of 1933. Among other things, R.T. Jones agreed to be censured and pay a $75,000 penalty. Rule 30(a) provides:
§ 248.30 Procedures to safeguard customer records and information.
Every broker, dealer, and investment company, and every investment adviser registered with the Commission must adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These policies and procedures must be reasonably designed to:
(a) Insure the security and confidentiality of customer records and information;
On his "Stark on IR" blog yesterday, Compliance Week columnist John Stark laid out four key messages that financial firms should take from the R.T. Jones case:
"This Was An Egregious Cybersecurity Failure at a Small Firm" -- Stark says that R.T. Jones’s failures were "serious, blatant and obvious," and may indicate the extreme type of cybersecurity failures that the SEC will pursue going forward.
"A New Seaboard Report" -- The R.T. Jones Order includes a detailed list of mitigating factors that the SEC considered. Stark believes that this list may provide "a useful and telling roadmap of proper compliance behavior amid data breaches."
"No Need to Identify Actual Customer Harm, and No Need to Identify the Actual Perpetrator of the Crime" -- Neither actual customer harm nor an actual perpetrator were identified in the SEC's Order.
"The SEC’s Administrative Forum is the Preferred Venue for Cybersecurity Failures" -- Stark says that like the R.T. Jones matter, future SEC enforcement matters involving cybersecurity failures will also likely be filed as APs given the agency's "own specialized and uniquely capable administrative forum."
Check out Stark's full analysis of the R.T. Jones case here.