The rules require registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information. The SEC has already launched its second sweep in regards to cybersecurity and has now fined R.T. Jones Capital Equities Management $75,000 for failure to have policies and procedures to mitigate a data breach.
According to the SEC’s order:
- T. Jones stored sensitive personally identifiable information (“PII”) of clients on its third party-hosted web server from September 2009 to July 2013.
- The firm’s server was attacked in July 2013 by an unknown hacker who gained access and copy rights to the data on the server, rendering the PII of more than 100,000 individuals vulnerable to theft.
- The firm failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information. (I.e. conduct periodic risk assessments, implement a firewall, encrypt PII stored on server, or maintain a response plan for cybersecurity incidents.)
Even though the firm has not received any indications of a client suffering financial harm as a result of the cyber attack, the firm was censured and fined.
“As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” said Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit. “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
Please click here for more information regarding this case.
Need help creating and implementing your cybersecurity policy? Let Red Oak guide you in protecting your client’s PII. Do not make the mistake of thinking it will never happen to you.