SEC nails advisory firm for cybersecurity failure before data breach

Firm pays $75,000 to settle charges after approximately 100,000 data records compromised as a result of hack

Sep 22, 2015 @ 5:19 pm

By Alessandra Malito

An investment advisory firm has agreed to pay $75,000 to settle SEC charges that it failed to have a cybersecurity policy in place before a computer breach compromised 100,000 individuals' personal information, including records of some of the firm's clients.

The firm, R.T. Jones Capital Equities Management in St. Louis, also agreed to be censured.

Between September 2009 and July 2013, the firm stored sensitive personal information of its clients and others on a third party-hosted web server, according to a news release from the Securities and Exchange Commission. In July 2013, the web server was breached by an unknown hacker from China who gained access to the data. Though the firm has not received any indication of a client suffering as a result of the breach, it had risked all of its sensitive data, the SEC said.

The firm never adopted written policies and procedures, something the agency has pushed for since April. It did not conduct periodic risk assessments, implement a firewall, encrypt its personally-identifiable information or maintain a response plan for any incidents either. When the breach occurred, it contacted all involved and offered free identity theft monitoring through a third-party vendor.

R.T. Jones Capital Equities Management did not respond to a request comment.

"It is another testament to the fact that every firm should have a set of documented policies and procedures in line with the SEC and Finra mandates," said Sid Yenamandra, chief executive of Entreda, a cybersecurity and risk-management company, referring to the case. "You'd be amazed how many firms don't do it."

Eugene Goldman, a senior member of law firm McDermott Will & Emery and a former SEC prosecutor, said more cases are likely.

"This is the start of a series of similar actions that will be brought this year and next," Mr. Goldman said. "Further enforcement actions may be derived from deficiencies detected from the SEC's inspections of advisers."

The SEC declined to comment.

Mr. Goldman added that there is "the potential seriousness of the consequences of not having these policies and procedures, particularly the risk of not protecting clients from the hackers of personal information."

It also lessens investor confidence, he said.

Marshall S. Sprung, co-chief of the SEC enforcement division's asset management unit, said in the news release that the regulator will continue to enforce its safeguarding rules, whether or not there is clear financial harm to clients.

"Every time a breach event like this happens, you'll see the SEC publicize it more," Mr. Yenamandra said. "They're trying to make it an example."

The case puts a spotlight on the SEC's mission to enforce more serious cybersecurity regulation.

In a guidance update, the commission's division of investment management said advisers must not only provide written policies and procedures, but occasionally check the data it collects as well as the vulnerabilities of its systems and security. The Financial Industry Regulatory Authority Inc. has also been pushing for better cybersecurity processes by ramping up its random audits.

0
Comments

What do you think?

View comments

Recommended for you

Featured video

Events

Retirement: It's no longer about feeding pigeons from a park bench.

Today's retirees expect so much more from retirement than previous generations, and advisers are in prime position to help their clients understand what's important and what's not.

Latest news & opinion

Morgan Stanley CEO is happy that brokers are staying put

Firm has seen little attrition since it dumped the broker protocol last fall, Gorman says.

Bills to reform adviser regulation, increase sophisticated investors and protect seniors pass House

Measures included in package of 32 bipartisan bills meant to ease rules, spur investment

Genstar Capital buys majority stake in Cetera Financial Group

The private-equity firm has previously invested in such companies as Mercer Advisors and AssetMark.

Cetera Financial Group close to announcing its acquisition by private equity

Details of sale to one or more P-E firms could be announced as early as today.

10 best states for retirement

When it comes to places to retire, here are the 10 best states for enjoying your golden years.

X

Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting investmentnews.com? It'll help us continue to serve you.

Yes, show me how to whitelist investmentnews.com

Ad blocker detected. Please whitelist us or give premium a try.

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print