Cybersecurity is one of the current hot topics of discussion. Regulators here and abroad have expressed concern regarding cybersecurity. Breaches are periodically reported in the media. Now the SEC has brought its first enforcement action centered on cybersecurity. In the Matter of R.T. Jones Capital Equities Management, Inc., File No. 3-16827 (Sept. 22, 2015).
R.T. Jones is a registered investment adviser based in St. Louis, Missouri. The firm has about 8,400 client accounts and $480 million in regulatory assets under management. The firm provides investment advice to retirement plan participants under various agreements with plan administrators and sponsors. R.T. Jones uses an option called Artesys through which clients are offered a variety of model portfolios with a range of investment objectives and risk profiles.
Plan participants access Artesys through the R.T. Jones website. Investors enroll through the site by furnishing certain personal information and responding to a questionnaire. Based on that information R.T. Jones recommends a portfolio. If the client agrees the advisor provides trade instructions to the plan administrator. R.T. Jones does not control or maintain client accounts or information. It does, however, maintain information on all 100,000 plan participants which the firm obtained from the administrator. The information was stored on a third party-hosed server. It was not encrypted.
In July 2013 the firm discovered a potential cybersecurity breach at the server. R.T. Jones retained consulting firms to confirm and assess the scope of the breach. One consultant confirmed that the attack was launched from multiple IP addresses based in China. The consultants could not confirm the scope of the breach or if the personal information of the clients had been compromised. There is no indication to date that clients had suffered any financial harm from the attack.
The SEC’s Safeguard Rule, adopted in 2000, requires that every investment adviser adopt policies and procedures with certain protections. Specifically, those include: a requirement that the policies and procedures insure the security and confidentiality of customer records and information; protect against anticipated threats or hazards; and safeguard against unauthorized access. R.T. Jones failed to adopt any written policies and procedures in accord with the Rule. Thus the firm did not conduct periodic risk assessments, employ a firewall to protect the web server, encrypt client personal information or establish procedures for reporting an incident. The Order alleges violations of Rule 30(a), Regulation S-P.
Following the incident R.T. Jones appointed an information security manager to oversee data security. It also adopted and implemented a written information security policy and moved the client personal information to an internal server and encrypted it. The adviser also retained a cybersecurity firm to provide on-going advice and reports. The firm also cooperated with the staff’s investigation.
To resolve the proceeding Respondent consented to the entry of a cease and desist order based on the Rule cited in the Order and to a censure. R.T. Jones will also pay a penalty of $75,000. The Commission considered the firm’s remedial actions and cooperation in resolving the action.