In September 2015, the SEC filed a settled enforcement action against R.T. Jones Capital Equities Management for the firm's alleged failure to "establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients." The SEC stated at the time that the R.T Jones matter was its first against a regulated entity for a cybersecurity-related violation.
The SEC brought its new-age case against R.T. Jones pursuant to Rule 30(a) of Regulation S-P under the Securities Act of 1933, which lays out procedures regulated entities must follow to safeguard customer records and information. Financial Planning reports that in a webcast this week, SEC Enforcement Director Andrew Ceresney stated that other similar cybersecurity cases alleging violations of Regulation S-P are "coming down the pike."
Citing the R.T. Jones case, Ceresney stated that "cyber is obviously a focus of ours, as I know it is for the other divisions, and we've brought a number of cases there relating to Reg S-P and failure to have policies and procedures relating to safeguarding information."
Earlier this month, the SEC filed another case under Reg S-P. On April 12, 2016, the SEC brought a settled administrative proceeding against Craig Scott Capital, LLC, a registered broker dealer, and its two principals, alleging that they violated Reg S-P's requirements that broker-dealers adopt written policies and procedures to protect confidential customer information and records and to keep and maintain copies of all business communications.
Specifically, the SEC alleged that the broker dealer or its principals failed to protect customer information by, among other things:
using "personal email addresses to receive thousands of faxes from customers and other third parties. These faxes routinely included sensitive customer records and information, such as customer names, addresses, social security numbers, bank and brokerage account numbers, copies of driver’s licenses and passports, and other customer financial information;"
using personal email addresses for business matters relating to the business;
not maintaining and preserving either these faxes or this email; and
not having adequate written supervisory procedures to protect customer information and records.
Under the settlement, Craig Scott Capital agreed to pay a $100,000 civil money penalty, and both of the principals agreed to pay a $25,000 civil money penalty. The respondents neither admitted nor denied the SEC's findings pursuant to the settlement.