SEC Fines Firm for Failure to Adopt Cybersecurity Policies and Procedures

Recently the Securities and Exchange Commission (“SEC”) charged a St. Louis Investment adviser that had experienced a breach of client non-public information with failing to create and implement cybersecurity policies and procedures.

According to the SEC’s press release, for over four years R.T. Jones Capital Equities Management (“R.T. Jones”) stored the information electronically on their website and during that time “failed to adopt any written policies and procedures to ensure the security and confidentiality of personally identifiable information (PII) and protect it from anticipated threats or unauthorized access.”   As a result of this failure, the SEC fined R.T. Jones $75,000 in penalties and while the firm did not admit or deny any of the SEC’s allegations, it agreed to pay the penalties and cease and desist from further violations of Rule 30(a) of Regulation S-P.[1]

At the same time, the SEC issued an Investor Alert that provides information to investors on what steps to take if their PII is obtained due to a data breach.

Cybersecurity is currently a very hot topic for both the SEC and the Financial Industry Regulatory Authority (“FINRA”) and is high on their list of exam priorities for 2015. To that end, the SEC recently announced through the issuance of a National Exam Risk Alert that they will be performing more cybersecurity exams on both investment advisers and broker-dealers.

When implementing a cybersecurity program, there are a number of steps a firm should take, the least of which is performing a detailed risk assessment and due diligence on service providers to determine weaknesses.

To learn more on what steps to take for your cybersecurity policy and how Core Compliance can help, please contact us at (619) 278-0020 to schedule a consultation.

[1] See https://www.law.cornell.edu/cfr/text/17/248.30

Leave a Reply

Your email address will not be published.