For the last few years, the SEC has been issuing guidance as to appropriate cybersecurity policies and procedures for financial firms. In a move that signal’s the regulator’s willingness to put muscle into its cybersecurity guidance, the SEC announced an agreement with St. Louis-based investment company, R.T. Jones Capital Equities Management (“R.T. Jones” or “the company”), to settle charges that the company failed to adequately safeguard the personal information (“PI”) of approximately 100,000 individuals. Consistent with this trend, the SEC has announced that its Office of Compliance Inspections and Examinations (“OCIE”) would be conducting a second round of investigations into the cybersecurity practices of brokerage and advisory firms (the “Cybersecurity Examination Initiative”). These moves signal the SEC’s increasing scrutiny of investment firms’ information security practices and indicate the regulator’s willingness to enforce the guidance that it has issued.
On February 3, 2015, the U.S. Securities and Exchange Commission released a Risk Alert addressing cybersecurity issues at brokerage and advisory firms, along with suggestions to investors on ways they can protect themselves and their online accounts. FINRA issued a similar, more extensive “Report on Cybersecurity Practices” on the same day.