Scarinci Hollenbeck, LLC
The Firm
201-896-4100 info@sh-law.comFirm News
(Client) SEC Focuses on Cybersecurity Weaknesses
Author: Scarinci Hollenbeck, LLC
Date: November 11, 2015
Key Contacts
Back
SEC Focuses on Cybersecurity Weaknesses and Enforces Rule 30(a) of Regulation S-P (“Safeguards Rule”) against Investment Adviser
On Sept 22, 2015, the SEC announced its settlement of an administrative cease-and-desist proceeding through imposition of remedial sanctions against R.T. Jones Capital Equities Management, Inc., an SEC-registered investment adviser.[1]
This is the first enforcement matter establishing a willful violation of Rule 30(a) of Regulation S-P under the Securities Act of 1933, known as the “Safeguards Rule.”[2] This proceeding is instructive for its itemization of the advisor’s failures over an extensive time period.
Interestingly, although the advisor discovered a possible cybersecurity breach at its third-party-hosted web server, and retained two cybersecurity consulting firms to independently confirm the cyber-attack, assess the scope of the breach and whether personally identifiable information (“PII”) stored on the server had been compromised, the attack did not appear to have caused any financial harm to any firm client. The firm’s failure to have the “basics” of a cybersecurity regime, however, was sufficient for the SEC to impose sanctions.[3]
The SEC determined that the advisor violated the Safeguards Rule, adopted in 2000, and amended in 2005, which requires adoption of written policies and procedures reasonably designed to safeguard client’s PII. The adviser took certain remedial efforts by appointing an information security manager over its PII data security and implemented a written information security policy, which included: (a) moving off of a web server-hosted server, (b) encrypting PII, installing a new firewall and log-in system, and (c) retaining a cybersecurity firm to provide a report/advice on IT security. These efforts should be viewed as the minimum requirements the SEC’s OCIE and enforcement staff’s expect from a firm’s cybersecurity program.
What are the “takeaways” from this enforcement action? Firm management CIO’s/CTO’s and CCO’s should take into account when considering the severity of the sanctions imposed against R.T. Jones that during the past 18 months, OCIE published two Risk Alerts on cybersecurity, and the SEC published a “Guidance Update,” and hosted a Cybersecurity Roundtable.[4] There will not be much room for advisers to attempt to excuse their cybersecurity deficiencies in the context of this educational effort.
Cybersecurity remains a focus of OCIE and Enforcement. The time is now to plan and implement a year-end reassessment of firm cybersecurity breach readiness and Incident Response Plan. (“IRP”)
Here are “actionable ideas” for assuring your firm (whether a broker-dealer, or investment adviser) has satisfied Cybersecurity basics:
- Review the Firm’s Cybersecurity WSP’s and IRP; document the review process with COO/CIO/CTO/CLO, and engage with senior management for change approvals as required.
- Review third-party vendor/hosts agreements and understand the division of responsibilities between Firm and third-party; correct as determined to be necessary.
- Review Privacy Policies and BCP; revise as needed.
- Test (SSAE 16) firewall(s); BYOD coverage, encryption/password basics.
- Check the Firm’s internal audit examination process for ‘red flags’ of cybersecurity breach, as part of testing.
- Complete 2015 Cybersecurity Training Program; incorporate Cybersecurity topic in firm’s Annual Compliance Meeting.
- Consult with IT/Legal Experts, as required.
[1] Order available at http://www.sec.gov/litigation/admin/2015/ia-4204.pdf; Press Release at http://www.sec.gov/news/pressrelease/2015-202.html.[2] 17 C.F.R. §248-30(a).[3] The Advisor was also censured and required to pay a $75,000 civil penalty.[4] OCIE’s 2015 Cybersecurity Examination Initiative, IV National Exam Program Risk Alert, Sept. 15, 2015, https://www.sec.gov/ocie/announcement/ocie-2015 – cybersecurity-examination.initiative.pdf. National Exam Program Risk Alert, Feb. 3, 2015, at https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf. IM Guidance Update No. 2015-02 (April 2015), at http://www.sec.gov/investment/im-guidance-2015-02.pdf
- Locations: Red Bank, NJ, New York City, Washington, D.C., Little Falls, NJ
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Related Posts
See all
Business Journal NJBIZ Names Ronald S. Bienstock and William C. Sullivan, Jr. Leaders in Law
Ronald S. Bienstock and William C. Sullivan, Jr. of Scarinci Hollenbeck Recognized as 2025 Leaders in Law by NJBIZ Little Falls, NJ – March 6, 2025 – One of New Jersey’s leading business journals, NJBIZ, has recognized Ronald S. Bienstock, Partner and Chair of the Intellectual Property Group, and William C. Sullivan, Jr., Partner and […]
Author: Scarinci Hollenbeck, LLC
Scarinci Hollenbeck Named Among 2025 Best Companies to Work For
Scarinci Hollenbeck Named in U.S. News & World Report’s 2025 Best Companies to Work For Law Firms Little Falls, NJ – March 4, 2025 − U.S. News & World Report, the global authority in rankings and consumer advice, has named Scarinci & Hollenbeck, LLC one of the best law firms to work for in its […]
Author: Scarinci Hollenbeck, LLC
Donald M. Pepe and Donald Scarinci Named to 2025 ROI-NJ Influencers: Law List
ROI-NJ Continues to Feature Donald Scarinci and Donald M. Pepe on Annual Influencers in Law List Little Falls, NJ – February 26, 2025 – Partner and Chair of Scarinci & Hollenbeck, LLC’s Commercial Real Estate Department Donald M. Pepe and Founding & Managing Partner Donald Scarinci have once again been named to ROI-NJ’s Influencers: Law […]
Author: Scarinci Hollenbeck, LLC
Tax, Trusts and Estates Partner Marc J. Comer and Three Senior Associates Join Scarinci & Hollenbeck, LLC
Tax, Trusts and Estates Partner Marc J. Comer and Three Senior Associates Join Scarinci & Hollenbeck, LLC Little Falls, NJ – February 20, 2025 – Scarinci Hollenbeck, LLC is pleased to announce the addition of one new Partner. The firm also welcomes three Senior Associate attorneys. The expansion strengthens the firm’s capabilities across several practice […]
Author: Scarinci Hollenbeck, LLC
Scarinci Hollenbeck Attorneys Launch New BNI Chapter in NYC
Pioneering Networking Opportunities: James M. Meaney, Jesse M. Dimitro, and Christopher D. Warren Lead Initiative to Enhance Business Collaboration and Growth New York, NY – February 13, 2025 – Scarinci & Hollenbeck, LLC is proud to announce that James M. Meaney, Jesse M. Dimitro, and Christopher D. Warren have taken the initiative to establish a […]
Author: Scarinci Hollenbeck, LLC
John M. Scagnelli Speaks at Annual Redevelopment Law Institute
John M. Scagnelli Featured as Panelist on “The Impact that the Proposed Resilient Environments and Landscapes (NJ PACT) Regulations will have on Redevelopment” Little Falls, NJ – January 29, 2025 – Scarinci & Hollenbeck, LLC is proud to announce that Partner John M. Scagnelli, a member of the firm’s Environmental Law section, was recently featured […]
Author: Scarinci Hollenbeck, LLC
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
(Client) SEC Focuses on Cybersecurity Weaknesses
Author: Scarinci Hollenbeck, LLC
SEC Focuses on Cybersecurity Weaknesses and Enforces Rule 30(a) of Regulation S-P (“Safeguards Rule”) against Investment Adviser
On Sept 22, 2015, the SEC announced its settlement of an administrative cease-and-desist proceeding through imposition of remedial sanctions against R.T. Jones Capital Equities Management, Inc., an SEC-registered investment adviser.[1]
This is the first enforcement matter establishing a willful violation of Rule 30(a) of Regulation S-P under the Securities Act of 1933, known as the “Safeguards Rule.”[2] This proceeding is instructive for its itemization of the advisor’s failures over an extensive time period.
Interestingly, although the advisor discovered a possible cybersecurity breach at its third-party-hosted web server, and retained two cybersecurity consulting firms to independently confirm the cyber-attack, assess the scope of the breach and whether personally identifiable information (“PII”) stored on the server had been compromised, the attack did not appear to have caused any financial harm to any firm client. The firm’s failure to have the “basics” of a cybersecurity regime, however, was sufficient for the SEC to impose sanctions.[3]
The SEC determined that the advisor violated the Safeguards Rule, adopted in 2000, and amended in 2005, which requires adoption of written policies and procedures reasonably designed to safeguard client’s PII. The adviser took certain remedial efforts by appointing an information security manager over its PII data security and implemented a written information security policy, which included: (a) moving off of a web server-hosted server, (b) encrypting PII, installing a new firewall and log-in system, and (c) retaining a cybersecurity firm to provide a report/advice on IT security. These efforts should be viewed as the minimum requirements the SEC’s OCIE and enforcement staff’s expect from a firm’s cybersecurity program.
What are the “takeaways” from this enforcement action? Firm management CIO’s/CTO’s and CCO’s should take into account when considering the severity of the sanctions imposed against R.T. Jones that during the past 18 months, OCIE published two Risk Alerts on cybersecurity, and the SEC published a “Guidance Update,” and hosted a Cybersecurity Roundtable.[4] There will not be much room for advisers to attempt to excuse their cybersecurity deficiencies in the context of this educational effort.
Cybersecurity remains a focus of OCIE and Enforcement. The time is now to plan and implement a year-end reassessment of firm cybersecurity breach readiness and Incident Response Plan. (“IRP”)
Here are “actionable ideas” for assuring your firm (whether a broker-dealer, or investment adviser) has satisfied Cybersecurity basics:
- Review the Firm’s Cybersecurity WSP’s and IRP; document the review process with COO/CIO/CTO/CLO, and engage with senior management for change approvals as required.
- Review third-party vendor/hosts agreements and understand the division of responsibilities between Firm and third-party; correct as determined to be necessary.
- Review Privacy Policies and BCP; revise as needed.
- Test (SSAE 16) firewall(s); BYOD coverage, encryption/password basics.
- Check the Firm’s internal audit examination process for ‘red flags’ of cybersecurity breach, as part of testing.
- Complete 2015 Cybersecurity Training Program; incorporate Cybersecurity topic in firm’s Annual Compliance Meeting.
- Consult with IT/Legal Experts, as required.
[1] Order available at http://www.sec.gov/litigation/admin/2015/ia-4204.pdf; Press Release at http://www.sec.gov/news/pressrelease/2015-202.html.[2] 17 C.F.R. §248-30(a).[3] The Advisor was also censured and required to pay a $75,000 civil penalty.[4] OCIE’s 2015 Cybersecurity Examination Initiative, IV National Exam Program Risk Alert, Sept. 15, 2015, https://www.sec.gov/ocie/announcement/ocie-2015 – cybersecurity-examination.initiative.pdf. National Exam Program Risk Alert, Feb. 3, 2015, at https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf. IM Guidance Update No. 2015-02 (April 2015), at http://www.sec.gov/investment/im-guidance-2015-02.pdf