SEC nails advisory firm for cybersecurity failure before data breach

An investment advisory firm has agreed to pay $75,000 to settle SEC charges that it failed to have a cybersecurity policy in place before a computer breach compromised 100,000 individuals’ personal information, including records of some of the firm’s clients.
The firm, R.T. Jones Capital Equities Management in St. Louis, also agreed to be censured.
Between September 2009 and July 2013, the firm stored sensitive personal information of its clients and others on a third party-hosted web server, according to a news release from the Securities and Exchange Commission. In July 2013, the web server was breached by an unknown hacker from China who gained access to the data. Though the firm has not received any indication of a client suffering as a result of the breach, it had risked all of its sensitive data, the SEC said.
The firm never adopted written policies and procedures, something the agency has pushed for since April. It did not conduct periodic risk assessments, implement a firewall, encrypt its personally-identifiable information or maintain a response plan for any incidents either. When the breach occurred, it contacted all involved and offered free identity theft monitoring through a third-party vendor.
R.T. Jones Capital Equities Management did not respond to a request comment.
“It is another testament to the fact that every firm should have a set of documented policies and procedures in line with the SEC and Finra mandates,” said Sid Yenamandra, chief executive of Entreda, a cybersecurity and risk-management company, referring to the case. “You’d be amazed how many firms don’t do it.”
Eugene Goldman, a senior member of law firm McDermott Will & Emery and a former SEC prosecutor, said more cases are likely.
“This is the start of a series of similar actions that will be brought this year and next,” Mr. Goldman said. “Further enforcement actions may be derived from deficiencies detected from the SEC’s inspections of advisers.”
The SEC declined to comment.
Mr. Goldman added that there is “the potential seriousness of the consequences of not having these policies and procedures, particularly the risk of not protecting clients from the hackers of personal information.”
It also lessens investor confidence, he said.
Marshall S. Sprung, co-chief of the SEC enforcement division’s asset management unit, said in the news release that the regulator will continue to enforce its safeguarding rules, whether or not there is clear financial harm to clients.
“Every time a breach event like this happens, you’ll see the SEC publicize it more,” Mr. Yenamandra said. “They’re trying to make it an example.”
The case puts a spotlight on the SEC’s mission to enforce more serious cybersecurity regulation.
In a guidance update, the commission’s division of investment management said advisers must not only provide written policies and procedures, but occasionally check the data it collects as well as the vulnerabilities of its systems and security. The Financial Industry Regulatory Authority Inc. has also been pushing for better cybersecurity processes by ramping up its random audits.