Attention FAE Customers:
Please be aware that NASBA credits are awarded based on whether the events are webcast or in-person, as well as on the number of CPE credits.
Please check the event registration page to see if NASBA credits are being awarded for the programs you select.

Want to save this page for later?


The Daily

SEC Holds Investment Adviser Liable for Cyber Attack

Chris Gaetano
Published Date:
Sep 24, 2015
DevilComputerThe Securities and Exchange Commission found an investment advisory firm to be liable for a massive cyber attack that targeted it, saying the firm left the front door wide open, thus failing to protect the more than 100,000 clients whose personal information was put at risk during the incident, according to a recently issued administrative order

The SEC said that the firm, RT Jones Capital Equities Management, stored sensitive personal information for its clients via a third-party hosted web server, but "did not adopt written policies and procedures regarding the security and confidentiality of that information, and how to protect it from anticipated threats or unauthorized access." Then, in 2013, the firm's web server was attacked by an unknown intruder who gained access rights and copy rights to its data.

The Commission pointed to the Safeguards Rule, adopted in 2000, which requires that every SEC-registered investment adviser adopt written policies and procedures reasonably designed to insure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of those same records and information, and protect against unauthorized access to or use of records and information. The firm, according to the SEC, failed to adequately do this.

For example, the SEC said it did not conduct period risk assessments, did not use a firewall to protect the web server, and did not establish procedures for how to respond to a cyber security incident.

"Taken as a whole, RT Jones's policies and procedures for protecting customer records and information were not reasonable to safeguard customer information," said the SEC order.

Consequently, the SEC has censured the firm, ordered it to stop violating the regulation, and fined it $75,000. The SEC noted that the firm has already begun remediation efforts, such as appointing an information security manager, no longer keeping vital information on its server, installing a new firewall and logging system, and retaining a cyber security firm to provide ongoing reports  and advice on its IT security.