SEC goes after investment adviser for poor cybersecurity

Hackers, Data Breach, Justice Department
Getty Images

The Securities and Exchange Commission (SEC) settled charges Tuesday with an investment adviser that allegedly failed to properly protect its clients’ data in what might be a first-of-its-kind enforcement action.

Because of the security shortcomings, the SEC alleges, suspected Chinese hackers were able to crack the network of St. Louis-based R.T. Jones Capital Equities Management, accessing roughly 100,000 people’s information.

ADVERTISEMENT
Officials accused the firm of having no written policies for safeguarding customer information. R.T. Jones, the SEC said, did not conduct regular security risk assessments, encrypt sensitive client data or install a firewall, a common security measure that controls incoming and outgoing network traffic.

Although the SEC could find no evidence that R.T. Jones’s clients were financially harmed because of the breach, the agency chose to take action anyway as part of its burgeoning efforts to pressure companies to tighten their cybersecurity.

“As we see an increasing barrage of cyberattacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” said Marshall Sprung, co-chief of the SEC Enforcement Division’s Asset Management Unit.

R.T. Jones agreed to pay a $75,000 penalty as part of the settlement.

In addition to enforcement actions, the SEC is also considering requirements that would force companies to reveal more information about their cybersecurity vulnerabilities.

“Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs," Sprung said.