SEC nails advisory firm for cybersecurity failure before data breach

Firm pays $75,000 to settle charges after approximately 100,000 data records compromised as a result of hack

Sep 22, 2015 @ 5:19 pm

By Alessandra Malito

An investment advisory firm has agreed to pay $75,000 to settle SEC charges that it failed to have a cybersecurity policy in place before a computer breach compromised 100,000 individuals' personal information, including records of some of the firm's clients.

The firm, R.T. Jones Capital Equities Management in St. Louis, also agreed to be censured.

Between September 2009 and July 2013, the firm stored sensitive personal information of its clients and others on a third party-hosted web server, according to a news release from the Securities and Exchange Commission. In July 2013, the web server was breached by an unknown hacker from China who gained access to the data. Though the firm has not received any indication of a client suffering as a result of the breach, it had risked all of its sensitive data, the SEC said.

The firm never adopted written policies and procedures, something the agency has pushed for since April. It did not conduct periodic risk assessments, implement a firewall, encrypt its personally-identifiable information or maintain a response plan for any incidents either. When the breach occurred, it contacted all involved and offered free identity theft monitoring through a third-party vendor.

R.T. Jones Capital Equities Management did not respond to a request comment.

"It is another testament to the fact that every firm should have a set of documented policies and procedures in line with the SEC and Finra mandates," said Sid Yenamandra, chief executive of Entreda, a cybersecurity and risk-management company, referring to the case. "You'd be amazed how many firms don't do it."

Eugene Goldman, a senior member of law firm McDermott Will & Emery and a former SEC prosecutor, said more cases are likely.

"This is the start of a series of similar actions that will be brought this year and next," Mr. Goldman said. "Further enforcement actions may be derived from deficiencies detected from the SEC's inspections of advisers."

The SEC declined to comment.

Mr. Goldman added that there is "the potential seriousness of the consequences of not having these policies and procedures, particularly the risk of not protecting clients from the hackers of personal information."

It also lessens investor confidence, he said.

Marshall S. Sprung, co-chief of the SEC enforcement division's asset management unit, said in the news release that the regulator will continue to enforce its safeguarding rules, whether or not there is clear financial harm to clients.

"Every time a breach event like this happens, you'll see the SEC publicize it more," Mr. Yenamandra said. "They're trying to make it an example."

The case puts a spotlight on the SEC's mission to enforce more serious cybersecurity regulation.

In a guidance update, the commission's division of investment management said advisers must not only provide written policies and procedures, but occasionally check the data it collects as well as the vulnerabilities of its systems and security. The Financial Industry Regulatory Authority Inc. has also been pushing for better cybersecurity processes by ramping up its random audits.

0
Comments

What do you think?

View comments

Recommended for you

Sponsored financial news

Featured video

INTV

Why broker-dealers are on a roll

Deputy editor Bob Hordt and senior columnist Bruce Kelly discuss last year's bounce-back for IBDs.

Latest news & opinion

SEC advice rule may give RIAs leg up over broker-dealers

Experts say advisers will be able to point to their role as fiduciaries as a differentiator in the advice market.

Brokers accept proposed SEC rule on who can call themselves an adviser

Some say the rule will clear up investor confusion, but others say the SEC didn't go far enough.

SEC advice rule: Here's what you need to know

We sifted through the nearly 1,000-page proposal and picked out some of the most important points.

Cadaret Grant acquired by private-equity-backed Atria

75-year-old owner Arthur Grant positions the IBD for the 'next 33 years.'

SEC advice rule seeks to tighten reins on brokers

The proposed rule puts new restrictions on brokers, but it is still unclear how strongly the SEC is clamping down.

X

Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting investmentnews.com? It'll help us continue to serve you.

Yes, show me how to whitelist investmentnews.com

Ad blocker detected. Please whitelist us or give premium a try.

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print