SEC brings first cybersecurity-related enforcement action
The Securities and Exchange Commission (“SEC”) recently settled its first cybersecurity-related enforcement action against a Missouri based registered investment adviser, R.T. Jones Capital Equities Management, Inc. (the “Investment Advisor”).
The Investment Advisor was censured and fined $75,000 for failing to have acceptable written policies and procedures regarding its customer records and information in place prior to a 2013 data breach incident that compromised names, dates of birth and social security numbers personally identifiable information (“PII”) of thousands of the Investment Advisor’s clients.
It is worth emphasizing that the censure and fine were imposed despite the fact that there is no evidence the breach resulted in harm to those individuals whose PII was affected.
The Investment Advisor offered web-based investment portfolio allocation services to its clients, who could enroll and log into the services using their PII. The services were hosted on a third-party web server. In 2013, it was discovered the server was being hacked from China.
The Investment Advisor engaged two cyber-forensic firms to investigate, but neither firm could determine whether PII was accessed or taken. The Investment Advisors also notified those affected of the breach and offered them credit monitoring services.
Notably, the individual data and PII on the server was not encrypted. There was no firewall on the server. And, although its services were offered to about 8,000 clients, the Investment Advisor maintained the PII of more than 100,000 individuals on the server.
In 2000, the SEC adopted Regulation S-P which implemented certain Gramm-Leach Bliley Act and the Fair Credit Reporting Act provisions for SEC regulated entities, including registered broker-dealers, investment advisers and investment companies.
Rule 30 of Regulation S-P (the “Safeguard Rule”) requires regulated entities to establish written safeguards “reasonably designed to insure the security and confidentiality of customer records and information, protect against anticipated threats to the security or integrity of those records and information, and protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.”
In 2014, and again in 2015, the SEC’s Office of Compliance Inspections and Examinations’ (OCIE) published Risk Alerts (the “Risk Alerts”) announcing it would be conducting industry examinations on cybersecurity, with a focus on risk identification and preparedness assessments.
Similar to annual cybersecurity practice reviews in the insurance and other regulated industries, the OCIE is focused on understanding how and why cybersecurity breaches occur, in order to promote and enforce minimum appropriate safeguards against known or anticipated threats or hazards.
Applying the Lessons
First and foremost, the Safeguard Rule requires investment advisors and others regulated by the SEC to have in place written policies and procedures addressing the security and confidentiality of customer records and information.
The settlement order demonstrates that the SEC will impose a fine for failing to have these policies and practices in place, even if there is no demonstrated harm or damage.
The settlement order against the Investment Advisor reveals some of the components a regulated entity should expect OCIE staff to be looking for in an entity’s cybersecurity policies and practices as part of an OCIE examination in 2015 and beyond.
These components include conducting periodic risk assessments and having written incident response procedures, as well as using firewalls, encryption and other technology to restrict access and further protect PII.
In addition, the settlement order emphasizes the importance of making thoughtful decisions about the use and storage of PII when it questions the Investment Advisor’s decisions about storing the PII of 100,000 individuals on a third-party web server, when 90% of those individuals did not enroll in the web-based services.
Finally, the Risk Alerts highlight that the minimum requirements of these policies and procedures has evolved over time, and will continue to do so, based on developing industry and company specific risks and security incidents.