SEC nails advisory firm for cybersecurity failure before data breach

Firm pays $75,000 to settle charges after approximately 100,000 data records compromised as a result of hack

Sep 22, 2015 @ 5:19 pm

By Alessandra Malito

+ Zoom

An investment advisory firm has agreed to pay $75,000 to settle SEC charges that it failed to have a cybersecurity policy in place before a computer breach compromised 100,000 individuals' personal information, including records of some of the firm's clients.

The firm, R.T. Jones Capital Equities Management in St. Louis, also agreed to be censured.

Between September 2009 and July 2013, the firm stored sensitive personal information of its clients and others on a third party-hosted web server, according to a news release from the Securities and Exchange Commission. In July 2013, the web server was breached by an unknown hacker from China who gained access to the data. Though the firm has not received any indication of a client suffering as a result of the breach, it had risked all of its sensitive data, the SEC said.

The firm never adopted written policies and procedures, something the agency has pushed for since April. It did not conduct periodic risk assessments, implement a firewall, encrypt its personally-identifiable information or maintain a response plan for any incidents either. When the breach occurred, it contacted all involved and offered free identity theft monitoring through a third-party vendor.

R.T. Jones Capital Equities Management did not respond to a request comment.

"It is another testament to the fact that every firm should have a set of documented policies and procedures in line with the SEC and Finra mandates," said Sid Yenamandra, chief executive of Entreda, a cybersecurity and risk-management company, referring to the case. "You'd be amazed how many firms don't do it."

Eugene Goldman, a senior member of law firm McDermott Will & Emery and a former SEC prosecutor, said more cases are likely.

"This is the start of a series of similar actions that will be brought this year and next," Mr. Goldman said. "Further enforcement actions may be derived from deficiencies detected from the SEC's inspections of advisers."

The SEC declined to comment.

Mr. Goldman added that there is "the potential seriousness of the consequences of not having these policies and procedures, particularly the risk of not protecting clients from the hackers of personal information."

It also lessens investor confidence, he said.

Marshall S. Sprung, co-chief of the SEC enforcement division's asset management unit, said in the news release that the regulator will continue to enforce its safeguarding rules, whether or not there is clear financial harm to clients.

"Every time a breach event like this happens, you'll see the SEC publicize it more," Mr. Yenamandra said. "They're trying to make it an example."

The case puts a spotlight on the SEC's mission to enforce more serious cybersecurity regulation.

In a guidance update, the commission's division of investment management said advisers must not only provide written policies and procedures, but occasionally check the data it collects as well as the vulnerabilities of its systems and security. The Financial Industry Regulatory Authority Inc. has also been pushing for better cybersecurity processes by ramping up its random audits.

0
Comments

What do you think?

View comments

Recommended for you

Featured video

INTV

How advisers can better communicate the risks and rewards of investing in emerging markets

Senior columnist John Waggoner discusses how financial advisers can help clients better understand the advantages of having exposure to emerging markets and the increased volatility that often comes along with investing in them.

Video Spotlight

A Teacher’s Lesson Plan

Sponsored by Prudential

Latest news & opinion

Cetera broker-dealers to pay back $3.3 million to clients overcharged for mutual funds

Over an eight-year period, the B-Ds failed to properly supervise sales charge waivers to clients in retirement plans and charitable organizations.

Fiduciary advocates press CFP Board for specifics on standards changes

Meanwhile, few brokerages and their trade associations, which blasted the DOL's fiduciary rule in comment letters, are responding to the CFP Board's proposal.

Big gains attract new money to emerging markets, but should investors stay?

An estimated $6.7 billion has flowed into emerging-market stock funds and ETFs so far this year, according to Morningstar.

Attorney blasts Finra after regulator loses insider trading case

Lawyer says it was 'slimy' of Finra to publicize the case while it was still being litigated.

Will Jeffrey Gundlach's Trump-like approach on Twitter work in financial services?

The DoubleLine CEO's attacks on Wall Street Journal reporters is igniting a discussion on what's fair game on social media.

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print