A recent comment by the Co-Chief of the SEC Enforcement Division’s Asset Management Unit, Marshall Sprung, should provide a better sense of the urgency and seriousness towards their ongoing push to improve cyber-security within our industry. He said in reference to recent sanctions taken against an RIA that suffered a security breach at a third party-hosted web server where client information was obtained, “As we see an increasing barrage of cyber-attacks on financial firms, it is important to enforce the Safeguards Rule even in cases like this when there is no apparent financial harm to the clients.”
What makes his statement stand out is that in the above case, confidential information was obtained by foreign hackers, but no apparent financial harm was done to any of the clients and sanctions against the RIA were still imposed. Not waiting for damages, the SEC is taking action when firms violate the Safeguards Rule [Rule 30(a) of Regulation S-P] by failing to conduct risk assessments, encrypting data, establishing firewalls and establishing procedures for responding to cyber-security breaches.
Specifically, the SEC stated that R.T. Jones Capital Equities Management, Inc.’s, “failure to adopt written policies and procedures reasonably designed to protect customer records and information in violation of Rule 30(a) of Regulation S-P (17 C.F.R sect. 248.30(a) (the “Safeguards Rule”). From at least September 2009 through July 2013, R.T. Jones stored sensitive personally identifiable information (“PII”) of clients and other persons on its third party-hosted web server without adopting written policies and procedures regarding the security and confidentiality of that information and the protection of that information form anticipated threat or unauthorized access. In July 2013, the firm’s web server was attacked by an unauthorized unknown intruder, who gained access rights and copy rights to the data on the server. As a result of the attack, the PII of more than 100,000 individuals, including thousands of R.T. Jones’s clients, was rendered vulnerable to theft.”
As a result, R.T. Jones has appointed an information security manager to oversee data security and protection of PII, and adopted a written information security policy. The firm also installed a new firewall and logging system to prevent and detect malicious incursions, and no longer stores PII on its webserver and any PII stored on its internal network is now encrypted and they retained a cyber-security firm to provide ongoing reports and advice on the firm’s information technology security.
Even with these steps taken, the SEC issued R.T. Jones a cease and desist from committing or causing any violations and any future violations of Rule 30(a) of Regulation S-P and a civil money penalty of $75,000.
The bottom line is don’t wait until damages are done. The risks are there now and your liability can be managed if you start before you have a problem.
Not sure how to protect your firm and clients from cyber-security risk, let Red Oak Compliance Solutions help you mitigate your risks.