For the last few years, the SEC has been issuing guidance as to appropriate cybersecurity policies and procedures for financial firms. In a move that signal’s the regulator’s willingness to put muscle into its cybersecurity guidance, the SEC announced an agreement with St. Louis-based investment company, R.T. Jones Capital Equities Management (“R.T. Jones” or “the company”), to settle charges that the company failed to adequately safeguard the personal information (“PI”) of approximately 100,000 individuals. Consistent with this trend, the SEC has announced that its Office of Compliance Inspections and Examinations (“OCIE”) would be conducting a second round of investigations into the cybersecurity practices of brokerage and advisory firms (the “Cybersecurity Examination Initiative”). These moves signal the SEC’s increasing scrutiny of investment firms’ information security practices and indicate the regulator’s willingness to enforce the guidance that it has issued.
The R.T. Jones Enforcement Action
R.T. Jones—a St. Louis-based investment advisor—offers a number of model investment portfolios to its clients via a managed account option called “Artesys.” The SEC alleged that R.T. Jones verified its clients’ eligibility to participate in the program by asking them to logon to the company’s website and enter their names, dates of birth, and Social Security numbers. R.T. Jones only managed approximately 8,000 accounts, but the Artesys plan sponsor provided R.T. Jones with information regarding the other plan participants in order to assist with the verification process. As a result, the company possessed PI for approximately 100,000 individuals. R.T. Jones stored the unencrypted data on a third-party hosted server. In July 2013, the company discovered that this data had been compromised.
Though the SEC Order acknowledges that none of the individuals affected in the breach were known to be harmed, the SEC took issue with R.T. Jones’s deficient policies and procedures. According to the Order, R.T. Jones failed to implement adequate cybersecurity policies and procedures in violation of the Gramm-Leach-Bliley Act Safeguards Rule. In particular, the SEC faulted R.T. Jones for failure to conduct periodic risk assessments, employ a firewall, encrypt the PI stored on the third-party web server, and maintain a cybersecurity incident response plan.
Notably, the action did not refer to any connection between the breach and the company’s alleged cybersecurity failures. Thus, the Order indicates the SEC’s willingness to enforce adequate cybersecurity policies and procedures regardless of whether the alleged lapse caused the breach or resulted in any harm to consumers.
R.T. Jones was censured and ordered to pay a $75,000 fine. The Order also required R.T. Jones to implement specific remedial measures designed to cure the cybersecurity failures alleged such as:
- Appointing an information security manager responsible for data security and protection of PI;
- Adopting and implementing an information security policy;
- Not storing PI on the remote server; and
- Encrypting PI stored on the internal network.
2015 Cybersecurity Examination Initiative
The SEC recently published a Risk Alert announcing that it would be performing a second round of examinations into the cybersecurity practices of financial services firms. The regulator explained that its inquiries would be intended to “gather information on cybersecurity related controls and…test to assess implementation of certain firm controls” in the following categories: governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.
Taken together, the R.T. Jones enforcement action and the second cybersecurity sweep demonstrate that the SEC’s cybersecurity pronouncements are not just helpful tips. That said, firms seeking to enhance their cybersecurity posture need not start from scratch. In an appendix to the Risk Alert announcing the Cybersecurity Examination Initiative, the SEC provided specific guidance to financial firms as to the types of inquiry that it would make into each of the categories listed above. The R.T. Jones enforcement action demonstrates that the SEC will take an individualized view of each company’s cybersecurity practices should the company fall under the agency’s scrutiny. The Order also demonstrates that a firm can fall under SEC scrutiny as a result of any cybersecurity lapse: not just when such a lapse will result in harm to consumers. In light of the SEC’s increased emphasis on cybersecurity, financial services firms should carefully consider the types of cybersecurity policies and procedures they employ. As the R.T. Jones matter shows, the SEC will not hesitate to exercise its regulatory enforcement authority if it believes a firm’s cybersecurity policies and procedures are not up to snuff.