On September 22, 2015, the SEC sanctioned a registered investment adviser (“Adviser”) for failing to adopt written policies and procedures to safeguard customer records and information prior to a cyber attack and breach of customer data.1 The breach compromised the personally identifiable information (“PII”) of roughly 100,000 individuals, including thousands of the Adviser’s clients.2
Rule 30(a) of Regulation S-P under the Securities Act of 1933 (the “Safeguards Rule”) requires every registered investment adviser to adopt written policies and procedures to protect customer records and information.3 Specifically, these procedures must be reasonably designed to: (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The Adviser stored the PII of its clients and other retirement plan participants on a third party-hosted web server. An unknown hacker gained access to that data in July 2013. After the Adviser discovered the breach it promptly retained two cybersecurity consulting firms to confirm the attack and determine its scope. The Adviser also provided notice to all individuals whose PII may have been compromised by the attack, and offered free identity theft protection through a third-party provider.
The SEC found that from September 2009 to July 2013, the Adviser failed to adopt written policies or procedures that are reasonably designed to protect its customers’ PII, in violation of the Safeguards Rule. The Adviser did not, for example, conduct periodic risk assessments, implement a firewall, encrypt PII stored on its servers, or maintain a response plan for cybersecurity incidents. The Adviser agreed to cease and desist from violating the Safeguards Rule in the future, and also agreed to be censured and pay a $75,000 penalty.
This SEC administrative proceeding and settlement highlight the importance of an adviser implementing written policies and procedures designed to safeguard client information. These procedures should be tailored to address the cybersecurity risks to which the adviser and its business are subject.
______________________________________________________
1 R.T. Jones Capital Equities Management, Inc., SEC File No. 3-16827 (September 22, 2015), http://www.sec.gov/litigation/admin/2015/ia-4204.pdf.
2 The Adviser provided investment advice to individual retirement plan participants using a managed account option. To verify enrollment eligibility, the Adviser required prospective clients to enter their name, date of birth, and social security number into their public website, which compared that information against records provided to the Adviser by plan sponsors. To facilitate this verification process, plan sponsors provided the Adviser with the PII of all of their plan participants, which was stored on the Adviser’s web server. Accordingly, even though the Adviser had less than 8,000 plan participant clients, the web server contained the PII of over 100,000 individuals.
3 17 C.F.R. § 248.30(a).
______________________________________________________
If you have any questions regarding the matters covered in this memo, please contact any of the partners and counsel listed below or your primary attorney in Seward & Kissel’s Investment Management Group.
