- The Washington Times - Wednesday, September 23, 2015

The Securities and Exchange Commission has reached a deal with an investment advisory firm accused of failing to properly protect the personal information of around 100,000 individuals whose data was accessed by hackers.

R.T. Jones Capital Equities Management of St. Louis has agreed to be censured and pay a $75,000 penalty to the SEC to resolve claims surrounding a July 2013 security breach.

In paying the fee, R.T. Jones will be left off the hook for having failed to establish cybersecurity policies and procedures as required by law ahead of the hack that ultimately allowed the personal identifiable information of thousands of clients to be compromised.

The investment advisory firm had not been accused of exhibiting lax security practices but rather for failing to implement even basic precautionary measures. In turn, the SEC accused R.T. Jones of violating a provision of the Securities Act of 1933 — specifically, a rule requiring every investment adviser registered with the commission to adopt “written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”

The SEC said the firm had “failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information” ahead of the breach. The agency said in a statement released on Tuesday that R.T. Jones had not only avoided conducting periodic risk assessments, but also failed to implement a firewall to restrict access to its servers, encrypt the data of its users “or maintain a response plan” for dealing with cyber incidents.

“As we see an increasing barrage of cyberattacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” said Marshall S. Sprung, the co-chair of the agency’s Enforcement Division’s Asset Management Unit.

“Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs,” Mr. Sprung said.

To date, the firm has not been made aware of any instances in which the compromised data has been abused. The SEC said audits performed by at least two security firms had concluded the hack was waged by actors operating on behalf of China.

Separately, the 3rd Circuit Court of Appeals ruled last month that the Federal Trade Commission can fine firms that lose consumer data to hackers if breaches result from “unfair” or “deceptive” business practices, as deemed by the FTC.

Sign up for Daily Newsletters

Manage Newsletters

Copyright © 2021 The Washington Times, LLC. Click here for reprint permission.

Please read our comment policy before commenting.


Click to Read More and View Comments

Click to Hide