On Sept 22, 2015, the SEC announced its settlement of an administrative cease-and-desist proceeding through imposition of remedial sanctions against R.T. Jones Capital Equities Management, Inc., an SEC-registered investment adviser.
This is the first enforcement matter establishing a willful violation of Rule 30(a) of Regulation S-P under the Securities Act of 1933, known as the “Safeguards Rule.” This proceeding is instructive for its itemization of the advisor’s failures over an extensive time period.
Interestingly, although the advisor discovered a possible cybersecurity breach at its third-party-hosted web server, and retained two cybersecurity consulting firms to independently confirm the cyber-attack, assess the scope of the breach and whether personally identifiable information (“PII”) stored on the server had been compromised, the attack did not appear to have caused any financial harm to any firm client. The firm’s failure to have the “basics” of a cybersecurity regime, however, was sufficient for the SEC to impose sanctions.
The SEC determined that the advisor violated the Safeguards Rule, adopted in 2000, and amended in 2005, which requires adoption of written policies and procedures reasonably designed to safeguard client’s PII. The adviser took certain remedial efforts by appointing an information security manager over its PII data security and implemented a written information security policy, which included: (a) moving off of a web server-hosted server, (b) encrypting PII, installing a new firewall and log-in system, and (c) retaining a cybersecurity firm to provide a report/advice on IT security. These efforts should be viewed as the minimum requirements the SEC’s OCIE and enforcement staff’s expect from a firm’s cybersecurity program.
What are the “takeaways” from this enforcement action? Firm management CIO’s/CTO’s and CCO’s should take into account when considering the severity of the sanctions imposed against R.T. Jones that during the past 18 months, OCIE published two Risk Alerts on cybersecurity, and the SEC published a “Guidance Update,” and hosted a Cybersecurity Roundtable. There will not be much room for advisers to attempt to excuse their cybersecurity deficiencies in the context of this educational effort.
Cybersecurity remains a focus of OCIE and Enforcement. The time is now to plan and implement a year-end reassessment of firm cybersecurity breach readiness and Incident Response Plan. (“IRP”)
Here are “actionable ideas” for assuring your firm (whether a broker-dealer, or investment adviser) has satisfied Cybersecurity basics:
- Review the Firm’s Cybersecurity WSP’s and IRP; document the review process with COO/CIO/CTO/CLO, and engage with senior management for change approvals as required.
- Review third-party vendor/hosts agreements and understand the division of responsibilities between Firm and third-party; correct as determined to be necessary.
- Review Privacy Policies and BCP; revise as needed.
- Test (SSAE 16) firewall(s); BYOD coverage, encryption/password basics.
- Check the Firm’s internal audit examination process for ‘red flags’ of cybersecurity breach, as part of testing.
- Complete 2015 Cybersecurity Training Program; incorporate Cybersecurity topic in firm’s Annual Compliance Meeting.
- Consult with IT/Legal Experts, as required.
 Order available at http://www.sec.gov/litigation/admin/2015/ia-4204.pdf; Press Release at http://www.sec.gov/news/pressrelease/2015-202.html. 17 C.F.R. §248-30(a). The Advisor was also censured and required to pay a $75,000 civil penalty. OCIE’s 2015 Cybersecurity Examination Initiative, IV National Exam Program Risk Alert, Sept. 15, 2015, https://www.sec.gov/ocie/announcement/ocie-2015 – cybersecurity-examination.initiative.pdf. National Exam Program Risk Alert, Feb. 3, 2015, at https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf. IM Guidance Update No. 2015-02 (April 2015), at http://www.sec.gov/investment/im-guidance-2015-02.pdf