The federal securities laws require registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information. An SEC investigation found that R.T. Jones Capital Equities Management violated this “safeguards rule” during a nearly four-year period when it failed to adopt any written policies and procedures to ensure the security and confidentiality of PII and protect it from anticipated threats or unauthorized access.
According to the SEC’s order instituting a settled administrative proceeding:
- R.T. Jones stored sensitive PII of clients and others on its third party-hosted web server.
- The firm failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information. For example, R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.
- Shortly after the incident, R.T. Jones was required to provide notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring through a third-party provider.
“Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” said Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit.
The SEC’s order finds that R.T. Jones violated Rule 30(a) of Regulation S-P under the Securities Act of 1933. Without admitting or denying the findings, R.T. Jones agreed to cease and desist from committing or causing any future violations of Rule 30(a) of Regulation S-P. R.T. Jones also agreed to be censured and pay a $75,000 penalty.
Speak to a security expert at Abaxio today about any of the IT Security Policies your firm may be required to have in place: