SEC Takes Action Against Adviser After Cybersecurity Breach
Cybersecurity policies and procedures that protect sensitive client information are not voluntary. Failure to enact and implement proper measures can result in SEC charges – as it did for an investment adviser who last week was charged by the agency – of not properly safeguarding client information.
R.T. Jones Capital Equities Management, a St. Louis-based adviser, on Sept. 22 settled such charges with the SEC after a breach that may have allowed overseas hackers to reach the personally identifiable information (PII) of approximately 100,000 individuals. Among the individuals whose information was potentially breached were thousands of the firm’s clients, the SEC alleged, although no clients were known to have been harmed.
As part of the settlement, R.T. Jones, which has about 8,400 client accounts and approximately $480 million in assets under management, was censured and forced to pay a $75,000 civil money penalty. The firm took a number of remedial steps prior to the settlement, such as appointing an information security manager to oversee data security and PII protection, that the SEC said it took into account in reaching the settlement. An attorney representing R.T. Jones did not respond to a voice message or email seeking comment.
"It’s a sad story," said Shearman & Sterling partner Nathan Greene. "You get hacked, on a human level you respond in a responsible way, then you still have to deal with violations of regulations."
Rules and enforcement
There are no prescriptive cybersecurity rules from the SEC that an adviser must follow, as the agency currently prefers to take a risk-based approach, as long as advisers employ a risk management process, are risk aware, and are "thoughtful" about the measures they put in place, said K&L Gates partner Sean Mahoney. Cybersecurity is "a very dynamic area, constantly evolving," he said, so a prescriptive one-size-fits-all rule would be difficult to implement.
But enforcement action will also be a factor, Mahoney said. "Despite the OCIE exams and the cybersweeps, this kind of enforcement action is going to happen." To date, agency cybersecurity enforcement actions have occurred only after a security breach has occurred, "but this could change," he said. For instance, Mahoney suggested, if examiners found an adviser lacking basic policies and procedures to protect client data, the SEC might bring charges against an adviser prior to a breach.
When it has brought charges, as in this case, the SEC has been using Regulation S-P’s Rule 30(a), the Safeguards Rule, which requires advisers to adopt written policies and procedures to protect customer records and information. But other rules, including Rule 206(4)-7, the Compliance Program Rule, could be used, if business continuity was in question from a potential cybersecurity breach or if a compliance plan did not take such risks into account, Mahoney said.
The lesson to learn from this? The SEC takes cybersecurity very seriously – and will use whatever tools it has in its toolbox to make sure advisers do, too. That includes issuing guidance, as OCIE did earlier this month (ACA Insight, 9/21/15), and filing enforcement actions where its rules allow.
"As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the Safeguards Rule even in cases like this when there is no apparent financial harm to clients," said SEC Enforcement Division Asset Management Unit co-chief Marshall Sprung. "Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs."
R.T. Jones, through agreements with a retirement plan administrator and various retirement plan sponsors, provides investment advice to individual plan participants using a managed account option program, which offers a choice of model portfolios for participants to choose from, according to the administrative order instituting the settlement. The plan administrator performs the actual transactions.
R.T. Jones itself does not control or maintain client accounts or client account information, the SEC said. From at least September 2009 through July 2013, the firm stored sensitive PII, without modification or encryption, on a third-party-hosted web server – "without adopting written policies and procedures regarding the security and confidentiality of that information and the protection of that information from anticipated threats or unauthorized access," the agency said.
Making matters worse, the plan sponsors that worked with R.T. Jones provided the adviser with information about all of their plan participants. This was done, the SEC said, so that when prospective clients logged onto the managed account option program to verify their eligibility, the login information could be compared against the PII of all eligible plan participants. "Thus, even though R.T. Jones had fewer than 8,000 plan participant clients, its web server contained the PII of over 100,000 individuals."
The breach occurred in July 2013, when "the firm’s web server was attacked by an unauthorized, unknown intruder, who gained access rights and copy rights to the data on the server," the agency said, leaving all the individuals on the site "vulnerable to theft."
R.T. Jones itself discovered the breach, and "promptly retained" more than one cybersecurity consulting firm to confirm its findings and assess the scope of the attack, according to the administrative order. "One of the forensic cybersecurity firms reported that the cyber attack had been launched from multiple IP addresses, all of which traced back to mainland China."
However, while the consulting firms found that the intruder had gained access and copy rights, they "could not determine the full nature or extent of the breach because the intruder had destroyed the log files surrounding the period of the intruder’s activity," the agency said. Another cybersecurity firm, hired to review the initial reports and assess the breach’s scope, could not determine whether the PII had actually been accessed or compromised. "To date," the SEC said, R.T. Jones "has not learned of any information indicating that a client has suffered any financial harm as a result of the cyber attack."
The adviser provided notice of the breach to all of the individuals whose PII may have been compromised and offered them free identity monitoring through a third-party provider, according to the agency.
ACA Aponix senior principal consultant Michael Pappacena said that the case points out the following cybersecurity best practices that advisers should take:
Understand where their PII data exists and protect accordingly. Know which vendors have custody or access to the firm’s PII data and ensure they are protecting that data, he said. "Ultimately, the firm is accountable for the vendors they contract."
Ensure your firm has a written information security program. This should include an Incident response plan outlining how your firm will respond to a breach.
Perform periodic cybersecurity and technology risk assessments. Make a point of including periodic risk assessments of your firm, including due diligence on any vendors, so "you understand their overall risk posture," he said.