Last week the Securities and Exchange Commission issued a new risk alert on cybersecurity and this week the SEC announced a new action for a cybersecurity breach. The action is just as bad as I thought it could be. It also shows that the SEC is misplaced in being a cybersecurity enforcer.
R.T. Jones Capital Equities is a registered investment adviser with about 8400 clients. The firm discovered a breach in July 2013. According to the SEC order, the firm hired at least two cybersecurity firms to assess the breach. Neither cybersecurity firm could determine if Personally Identifiable Information was accessed or compromised during the breach.
According to the order, R.T. Jones has not learned that the breach resulted in any losses to its clients or that their accounts have been compromised. There is only the potential loss of data.
Even with no financial harm, the SEC decided to bring an action.
The cybersecurity firms did discover that the attack was based in mainland China and launched from multiple IP addresses. At every conference that I hear about cybersecurity, an expert will always point out that you cannot prevent an attack and an eventual breach. If there is concerted effort from a sponsored group, the hackers will find a way in.
The SEC cited its “safeguards rule”: Rule 30(a) of Regulation S-P (17 C.F.R.§248.30(a)) as the basis for the action. According to a story by Nicholas Donato in Private Funds Management only in two other instances has the SEC cited this rule in enforcement action: PL Financial Corporation in 2008 and stock trading firm Commonwealth Equity in 2009.
The SEC also goes on to cite that the R.T. Jones compromised server had non-client PII on it. I’m not sure that Safeguards Rule applies to non-customer information.
In the end, R.T. Jones was cited for failing to adopt written policies and procedures reasonably designed to safeguard customer information. For example, R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.
The SEC also fails to establish that adoption of those written policies and procedures would have prevented the breach. But even a non-computer expert like me thinks it was poor effort on the part of R.T. Jones for not having a firewall when there is PII on a public facing webserver. Perhaps the firm’s failing was egregious. The SEC does not state so.
The SEC does state that R.T. Jones had no written policies and procedures for PII. They were not inadequate. They just did not exist. That is one big takeaway from the action. Firms need to at least try to prevent the loss of PII and have the written policies and procedures to try and prevent a breach.
Sources:
- SEC Charges Investment Adviser With Failing to Adopt Proper Cybersecurity Policies and Procedures Prior To Breach
- SEC order against R.T. Jones
- Investor Alert – Identity Theft, Data Breaches, and Your Investment Accounts
- SEC fires cybersecurity warning shot ahead of sweep by Nicholas Donato in Private Funds Management
- So who thought that the SEC was not serious about cybersecurity by Joshua Horn in Securities Compliance Sentinel
- SEC Doubles Down on Cybersecurity by John Reed Stark in Cybersecurity Docket
- SEC Says No More Mr. Nice Guy on Investment Adviser Cybersecurity by David Smyth in Cady Bar the Door
