Investment advisory firm R.T. Jones last week reached a $75,000 settlement with the Securities and Exchange Commission for failing to implement cyber-security policies, ultimately resulting in a cyber-attack that compromised the personally identifiable information of 100,000 individuals.
According to the SEC, R.T. Jones failed to adopt written policies and procedures "reasonably designed to protect customer records and information," in violation of the "Safeguards Rule." Adopted in 2000, the Safeguards Rule requires every investment adviser registered with the SEC to adopt policies and procedures that:
Ensure the security and confidentiality of customer records and information;
Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
From at least September 2009 through July 2013, R.T. Jones stored sensitive personally identifiable information (PII) of clients and other persons on its third party-hosted Web server without adopting written policies and procedures regarding the security and confidentiality of that information and the protection of that information from anticipated threats or unauthorized access, the SEC said.
R.T. Jones’ policies and procedures for protecting its clients’ information did not include, for example, conducting periodic risk assessments, employing a firewall to protect the web server containing client PII, encrypting client PII stored on that server, or establishing procedures for responding to a cyber-security incident. In July 2013, the firm’s Web server was attacked by an unauthorized, unknown intruder traced to China, who gained access rights and copy rights to the data on the server.
To mitigate against any future risk of cyber threats, R.T. Jones took the following remedial measures:
Appointed an information security manager to oversee data security and protection of PII;
Adopted and implemented a written information security policy;
Stopped storing PII on its Web server and encrypted any PII stored on its internal network;
Installed a new firewall and logging system to prevent and detect malicious incursions; and
Retained a cyber-security firm to provide ongoing reports and advice on the firm’s information technology security.
In addition to the $75,000 penalty, R.T. Jones agreed to be censured.