The Securities and Exchange Commission (SEC) recently announced the settlement of charges with investment advisor R.T. Jones for failing to adopt cybersecurity policies and procedures prior to its data breach. This is the SEC’s first cybersecurity enforcement action related to the failure to protect client data and clearly states the SEC’s focus on preparedness.
The SEC brought charges against R.T. Jones under the Safeguards Rule of Regulation S-P for failures to protect client data; the charges related to a cyberattack against the firm’s web server, which breached the details of 100,000 individuals in 2013. Under federal securities laws, investment advisors are required to adopt written policies and procedures reasonably designed to protect customer records and information, known as the “safeguards rule.” The SEC investigation found that R.T. Jones failed to adopt written policies and procedures, failed to conduct periodic risk assessments, or implement technologies such as a firewall or encryption.
The SEC’s enforcement focused on the preparedness of R.T. Jones, not on how well the firm responded to the breach or whether there was any harm as an outcome of the breach. To date, no harm has been tied to the breach. This action should serve as a wake-up call to the financial industry on the importance of preparedness and regular risk assessments.
“As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” said Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit. “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
This announcement coincides with the scheduling of the SEC’s second round of cybersecurity examinations, which promises to focus on the assessment of how well procedures and controls have been implemented. This new charge and the tight focus of its cybersecurity examinations underlines the SEC’s commitment to data protection through tighter regulations and enforcements.
The SEC is making clear that its enforcement focus is on preparedness and effective defences, so it is up to financial institutions to prove that policies, procedures and technologies are in place to protect data and respond quickly to data breaches, should they occur. In a recent whitepaper, How Financial Services Firms Can Bolster Security by Leveraging Persistence Technology on the Endpoint, we discuss recent security trends in the industry and how Persistence technology by Absolute can play a role in data protection.