SEC settles a claim against R T Jones Capital Equities Management for failing to adopt proper cyber security policies prior to a cyber attack

September 23, 2015 |

The requirement for proper cyber security policies is no longer only of interest to privacy regulators.  Earlier this year I posted on ASIC’s Report 429, Cyber Resilience (see Report on Cyber Resilience, highlights the need for proper cyber security, this time from ASIC) where ASIC now makes it clear that it regards proper cyber security as being part of a directors legal obligations.

In the United States the Securities and Exchange Commission also has a not unreasonable interest in cyber security.  Financial records contain considerable personal information and details which allow for fraud identity theft.  Yesterday it made it clear that it takes poor cyber security practices seriously when it announced that it had settled charges against R T Jones Capital Equities Management for failing to establish the appropriate cyber security policies and procedures prior to a breach which resulted in personal information of around 100,000 individuals. The breaches were across the board, ranging from poor policies and processes, inadequate management and inadequate protection of data by encrypting personal information.  A penalty of $75,000 is particularly heavy by US standards but there are ongoing obligations to mitigate against cyber threats including:

..R.T. Jones has appointed an information security manager to oversee data security and protection of PII, and adopted and implemented a written information security policy. Among other things, the firm no longerstores PII on its webserver and any PII stored on its internal network is encrypted. The firm has also installed a new firewall and logging system to prevent and detect malicious incursions. Finally, R.T. Jones has retained a cybersecurity firm to provide ongoing reports and advice on the firm’s information technology security.

The reputational damage is of course massive.  The story has been picked up by Reuters.  This inadequate level of protection and poor ability to respond is all too familiar in the Australian context.

The order is found here.

The media release provides:

The Securities and Exchange Commission today announced that a St. Louis-based investment adviser has agreed to settle charges that it failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.  

The federal securities laws require registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information.  An SEC investigation found that R.T. Jones Capital Equities Management violated this “safeguards rule” during a nearly four-year period when it failed to adopt any written policies and procedures to ensure the security and confidentiality of PII and protect it from anticipated threats or unauthorized access.

According to the SEC’s order instituting a settled administrative proceeding:

  • R.T. Jones stored sensitive PII of clients and others on its third party-hosted web server from September 2009 to July 2013.
  • The firm’s web server was attacked in July 2013 by an unknown hacker who gained access and copy rights to the data on the server, rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’s clients, vulnerable to theft.
  • The firm failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information.  For example, R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.
  • After R.T. Jones discovered the breach, the firm promptly retained more than one cybersecurity consulting firm to confirm the attack, which was traced to China, and determine the scope.
  • Shortly after the incident, R.T. Jones provided notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring through a third-party provider.
  • To date, the firm has not received any indications of a client suffering financial harm as a result of the cyber attack.

“As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” said Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit.  “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”

The SEC’s order finds that R.T. Jones violated Rule 30(a) of Regulation S-P under the Securities Act of 1933.  Without admitting or denying the findings, R.T. Jones agreed to cease and desist from committing or causing any future violations of Rule 30(a) of Regulation S-P.  R.T. Jones also agreed to be censured and pay a $75,000 penalty.

The SEC also released an Investor Alert titled  Identity Theft, Data Breaches, and Your Investment Accounts.”  with advice on how to deal with  regarding their investment accounts if they become victims of identity theft or a data breach.

It relevantly provides:

Contact your investment firm and other financial institutions immediately.  If you think your personal financial information has been stolen, contact your broker-dealer, investment adviser or other financial professional immediately to report the problem.  You should also contact any other financial institutions where you have accounts that may be impacted by the loss of your personal financial information. These may include banks, credit card companies, or insurance companies. Please remember to document any conversations with your investment or financial firms in writing.

Change your online account passwords.  Immediately change the password for any investment or financial accounts associated with the compromised personal financial information.  Always remember to use strong passwords that are not easy to guess, consisting of at least eight or more characters that include symbols, numbers and both capital and lowercase letters.

Consider closing compromised accounts.  If you notice any unauthorized access into your investment account, you may want to ask your investment firm to close the account and move the assets to a new account.  You should consult your investment firm about the best way to handle closing an account, if you choose to do so.

Activate two-step verification, if available.  Your brokerage firm or investment adviser may offer a two-step verification process for gaining access to your online accounts.  With a two-step verification process, each time anyone attempts to log into your account through an unrecognized device (i.e., a device you have not previously authorized on the account), your investment firm sends a unique code to either your e-mail or cell phone.  Before anyone can gain access to your account, they must enter this code and your password.  Activating this added layer of security may help reduce the risk of unauthorized access to your accounts by identity thieves.   

Monitor your investment accounts for suspicious activity.  Closely monitor your investment accounts for any suspicious activity.  Look out for any changes to your account information that you do not recognize (e.g., a change to your address, phone number, e-mail address, account number, or external banking information). You should also confirm that you authorized all of the transactions that appear in your account statements and trade confirmations.  If you find any suspicious activity, immediately report it to your investment firm.  Please remember to document any conversations with your investment firm in writing and provide a copy to your investment firm.

Place a fraud alert on your credit file.  Placing an initial fraud alert in your credit file provides notice to potential creditors (e.g., banks and credit card companies) that you may have been a victim of fraud or identity theft and will help reduce the risk that an identity thief can use your personal financial information to open new accounts. Contact any of the three credit bureaus listed below and ask them to add an initial fraud alert to your credit file. 

You only need to contact one of the credit bureaus to add the alert to your credit file at all three credit bureaus.  The credit bureau you contact will notify the other bureaus about the alert.  The initial fraud alert will last for 90 days, and can be renewed every 90 days.  Requesting an initial fraud alert and renewing the alert are both free.

Active duty members of the military may elect to add an “active duty alert” to their credit file.  Active duty alerts are the same as initial fraud alert except they last for 12 months.

If you have been a victim of identity theft, you may also consider placing an extended fraud alert or credit freeze in your credit file.  An extended fraud alert is similar to an initial fraud alert except that it lasts for seven years. A credit freeze stops any new creditors from accessing your credit file until you remove the credit freeze from your credit file.  Since most businesses will not open new credit accounts without checking your credit report, a freeze can stop identity thieves from opening new accounts in your name, but it does not stop them from taking over existing accounts.  For additional information on extended fraud alerts and credit freezes, please visit the Federal Trade Commission’s (FTC) identity theft website at www.identitytheft.gov.

Monitor your credit reports.  After you place an initial fraud alert in your credit file, you are entitled to obtain a free copy of your credit report from each of the credit bureaus.  Check each of your reports for signs of fraud, such as an unknown account, a credit check or inquiry to your credit file that you do not know about, an employer you have never worked for, or unfamiliar personal information. 

Leave a Reply