Thought Leadership

Hacked Investment Advisor Fined $75,000 for Lack of Cyber-Security Measures

October 7, 2015 Advisory

Many in the investment advisory community are following the story of R.T. Jones Capital Equities Management, an investment advisor that, according to the Securities and Exchange Commission (SEC), suffered a hack exposing the personally identifiable information of "approximately 100,000 individuals, including thousands of the firm’s clients."*

The SEC recently announced a resolution with R.T. Jones that included: 

  • Advisor’s agreement to be censured by the SEC; 
  • Payment of a $75,000 penalty; 
  • Advisor’s agreement to cease and desist from violations of Rule 30(a) of Regulation S-P. 

In addition, R.T. Jones agreed to additional remedial measures, including appointing an information security manager, implementing a written information security policy, and taking steps to increase technical security. 

While 100% guaranteed information security is not possible, the SEC did not bring the action against R.T. Jones for failure to meet that 100% standard. Rather, the SEC cited R.T. Jones for allegedly failing to have in place more basic security measures. Among the matters the SEC pointed to were: 

  • The firm failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information." 
  • R.T. Jones "failed to conduct periodic risk assessments…or maintain a response plan for cybersecurity incidents." 

Armstrong Teasdale’s Privacy & Data Security Group offers services to clients, including investment advisors: 

  • Providing the written policies and procedures discussed by the SEC; 
  • Performing client information risk assessments using the Octave Allegro risk assessment methodology, which includes conducting an assessment of the Client’s financial, reputational, operational, regulatory and other risk thresholds, and a scenario-based analysis of the type and relative importance of various risk scenarios; 
  • Building tailored incident response plans which take into account the risk assessment findings; 
  • Working with the client’s management and IT group to understand the technical implications of various cybersecurity issues and decisions; 
  • Providing 24/7 incident response counseling. 

AT’s Privacy & Data Security Group understands that a robust cybersecurity effort requires understanding both the technical and the legal/regulatory challenges. That’s why AT’s legal team includes three lawyers who are also Certified Information Privacy Professionals (CIPP), and two lawyers who are also Certified Ethical Hackers (C|EH). 

*SEC Press Release, found at http://www.sec.gov/news/pressrelease/2015-202.html.