SEC Fines Firm for Failure to Adopt Cybersecurity Policies and Procedures

 

Policies-Procedures-v3-13MAR2013-1024x381[1]

 

Recently the Securities and Exchange Commission (“SEC”) charged a St. Louis Investment adviser that had experienced a breach of client non-public information with failing to create and implement cybersecurity policies and procedures.

According to the SEC’s press release, for over four years R.T. Jones Capital Equities Management (“R.T. Jones”) stored the information electronically on their website and during that time “failed to adopt any written policies and procedures to ensure the security and confidentiality of personally identifiable information (PII) and protect it from anticipated threats or unauthorized access.”   As a result of this failure, the SEC fined R.T. Jones $75,000 in penalties and while the firm did not admit or deny any of the SEC’s allegations, they agreed to pay the penalties and cease and desist from further violations of Rule 30(a) of Regulation S-P.[1]

At the same time, the SEC issued an Investor http://www.sec.gov/oiea/investor-alerts-bulletins/ia_databreaches.htmlAlert that provides information to investors on what steps to take if their PII is obtained due to a data breach.

Cybersecurity is currently a very hot topic for both the SEC and the Financial Industry Regulatory Authority (“FINRA”) and high on their list of exam priorities for 2015. To that end, the SEC recently announced through the issuance of a National Exam Risk Alert that they will be performing more cybersecurity exams of both investment advisers and broker dealers .

When implementing a cybersecurity program, there are a number of steps a firm should take, the least of which is performing a detailed risk assessment and due diligence on service providers to determine weaknesses.

To learn more on what steps to take for your cybersecurity policy and how CCLS can help, please contact us at info@corecls.com or (619) 298-2880.

[1] See https://www.law.cornell.edu/cfr/text/17/248.30