On September 22, 2015, the SEC settled an enforcement action initiated against R.T. Jones Capital Equities Management, Inc. (“R.T. Jones”), an SEC-registered investment adviser, for its alleged failure to adopt written policies and procedures reasonably designed to protect its customers’ information and records in violation of Rule 30(a) of Regulation S-P under the Securities Act of 1933. Among other things, the SEC alleged that from September 2009 through July 2013, R.T. Jones stored clients’ personal information on a third party-hosted web server, which was ultimately attacked by an unknown hacker who gained access to the personal information of approximately 100,000 individuals, including thousands of the firm’s clients. Although R.T. Jones responded to the attack by promptly retaining multiple consulting firms to identify the source of the attack, notifying affected clients about the attack and offering clients free identity theft monitoring services, the SEC stated that the firm should have taken more proactive measures to detect, prevent and address such cyberattacks. For instance, the SEC suggested that R.T. Jones could have conducted periodic data security risk assessments, erected a firewall, encrypted clients’ personal information stored on its server and/or adopted a cybersecurity attack response plan. Importantly, the SEC brought this action despite the fact that there was no evidence to suggest that any R.T. Jones clients suffered any financial harm as a result of the data breach. Without admitting or denying the findings, R.T. Jones agreed to a cease-and-desist order, a censure and a $75,000 penalty to settle the action.
The action brought against R.T. Jones evidences the SEC’s growing emphasis on cybersecurity preparedness for investment advisers. Therefore, investment advisers should take a close look at how they store clients’ personal information, identify data security risks and adopt appropriate policies and procedures to address such risks. Investment advisers should also train their employees with respect to cybersecurity preparedness and the protection of customer information and records.