This week was the FIRST time the SEC has fined a company for not properly securing personal information, by going after the company for not applying proper cybersecurity policies and processes. The SEC’s order finds that R.T. Jones violated Rule 30(a) of Regulation S-P under the Securities Act of 1933. We are sure many more issues like these will follow.
This rule is from 80 years ago and so old that Cyber anything wasn't even an idea in anyone's mind. This rule require registered investment advisers to adopt written policies and procedures, reasonably designed to protect customer records and information. Looks like this law written 80 years ago fits pretty well into the industry we have today.
According to the SEC’s order instituting a settled administrative proceeding:
R.T. Jones stored sensitive PII (Personally Identifiable Information) of clients and others on its third party-hosted web server from September 2009 to July 2013.
The firm’s web server was attacked in July 2013 by an unknown hacker who gained access and copyrights to the data on the server, rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’s clients, vulnerable to theft.
The firm failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information. For example, R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.
After R.T. Jones discovered the breach, the firm promptly retained more than one cybersecurity consulting firm to confirm the attack, which was traced to China, and determine the scope.
Shortly after the incident, R.T. Jones provided notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring through a third-party provider.
To date, the firm has not received any indications of a client suffering financial harm as a result of the cyber attack.
As far as I can tell the firm handled the breach as best they could after it was noticed. The issue the SEC found, was that the firm had failed to adopt any written policies or procedures to protect its data systems. The usage of the NIST Cybersecurity Framework, which the SEC and other regulators have been directing firms to utilize the past 2 years, would have put the firm in better standings with the SEC and not ended up costing them $75,000 in fines.
If your firm is looking for guidance on implementing the NIST Cybersecurity Framework and being able to prove to regulators that you are keeping up with best practices across your firm, please contact us at FINSECTECH today.