Abaxio Managed Security

How can we help you today?

SEC Requires Investment Advisors to Have Cybersecurity Policies in Place

Updated November, 2015. When your clients Google your investment firm, make sure you end up on the first page – for something positive.

The Securities and Exchange Commission, for the first time in its history, has fined a registered advisor $75,000 for failing to establish the required cybersecurity policies and procedures in advance of a breach.

The federal securities laws require registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information.  An SEC investigation found that R.T. Jones Capital Equities Management violated this “safeguards rule” during a nearly four-year period when it failed to adopt any written policies and procedures to ensure the security and confidentiality of PII and protect it from anticipated threats or unauthorized access.

According to the SEC’s order instituting a settled administrative proceeding:

  • R.T. Jones stored sensitive PII of clients and others on its third party-hosted web server.
  • The firm failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information.  For example, R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.
  • Shortly after the incident, R.T. Jones was required to provide notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring through a third-party provider.

“Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” said Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit.

The SEC’s order finds that R.T. Jones violated Rule 30(a) of Regulation S-P under the Securities Act of 1933.  Without admitting or denying the findings, R.T. Jones agreed to cease and desist from committing or causing any future violations of Rule 30(a) of Regulation S-P.  R.T. Jones also agreed to be censured and pay a $75,000 penalty.

Speak to a security expert at Abaxio today about any of the IT Security Policies your firm may be required to have in place:

  • Acceptable Use Policy
  • Backup Policy
  • Confidential Data Policy
  • Data Classification Policy
  • Standard Forms
  • Email Policy
  • Encryption Policy
  • Guest Access Policy
  • Incident Response Policy
  • Third Party Connection
  • Mobile Device Policy
  • Network Access Policy
  • Network Security Policy
  • Outsourcing Policy
  • VPN Policy
  • Password Policy
  • Physical Security Policy
  • Remote Access Policy
  • Retention Policy
  • Wireless Access Policy