A St. Louis-based investment adviser has agreed to settle charges by the Securities and Exchange Commission that it failed to establish required cybersecurity policies in advance of a security breach that compromised customer data.
The SEC said that the breach compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.
The SEC’s order finds that R.T. Jones violated Rule 30(a) of Regulation S-P under the Securities Act of 1933. Without admitting or denying the findings, R.T. Jones agreed to cease and desist from committing or causing any future violations of Rule 30(a) of Regulation S-P. R.T. Jones also agreed to be censured and pay a $75,000 penalty.
Federal securities laws require registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information, and an SEC investigation found that R.T. Jones Capital Equities Management violated this “safeguards rule” during a nearly four-year period when it failed to adopt any written policies and procedures to ensure the security and confidentiality of PII and protect it from anticipated threats or unauthorized access.
According to the SEC, R.T. Jones stored sensitive PII of clients and others on its third party-hosted web server from September 2009 to July 2013, when it was attacked by an unknown hacker who gained access and copy rights to the data on the server, rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’ clients, vulnerable to theft.
The SEC said that the firm “failed entirely” to adopt written policies and procedures reasonably designed to safeguard customer information, specifically citing as an example R.T. Jones’ failure to:
- conduct periodic risk assessments;
- implement a firewall;
- encrypt PII stored on its server; or
- maintain a response plan for cybersecurity incidents.
However, the SEC noted that once R.T. Jones discovered the breach, the firm promptly retained more than one cybersecurity consulting firm to confirm the attack, which was traced to China, and determine its scope. The SEC also noted that shortly after the incident, R.T. Jones provided notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring through a third-party provider.
Additionally, to date, the firm has not received any indications of a client suffering financial harm as a result of the cyberattack.
