As we have written extensively on this blog, numerous federal agencies, including the FTC and FCC, are increasingly focused on cyber security. Add another one to the list. While the Securities and Exchange Commission (“SEC”) first entered the cybersecurity fray last February when it issued a summary of the data security practices of 57 registered broker-dealers and 49 registered investment advisors, it recently upped the ante with its first ever cybersecurity enforcement settlement and plans to conduct another round of cybersecurity sweeps of various financial service providers.
First, the enforcement action. On September 22, 2015, the SEC issued an order settling its first-ever cybersecurity enforcement action related to the failure to protect client data. The order, In re R.T. Jones Capital Equities Management, Inc., Admin Pro. 3-16827 (Sept. 22, 2015), alleges that investment adviser R.T. Jones violated Rule 30(a) of Regulation S-P, 17 C.F.R. § 248.30(a) by failing to adequately safeguard its clients’ personally identifiable information (“PII”). Between 2009 and 2013, R.T. Jones allegedly stored clients’ PII on a web server hosted by a third party without adopting written policies and procedures requiring protections such as periodic risk assessments, firewalls to protect the server, encryption of PII, or incident response procedures. The firm discovered in July 2013 that an unauthorized intruder originating in China gained access to the third-party server, but forensic consultants could not determine whether the clients’ PII was actually accessed or exfiltrated because the intruder destroyed the log files surrounding the period of intrusion.
Notably, there is no evidence to date that any of the affected clients have been financially harmed by the incident, and the SEC did credit R.T. Jones’ swift remediation efforts and prompt client notification following the incident. The SEC nevertheless levied a penalty solely based on the firm’s (and the firm’s third-party hosting vendor’s) failure to “adopt written policies and procedures that are reasonably designed to safeguard customer records and information.” However, the SEC suggested in the Order that it accepted a relatively modest settlement of $75,000 in part because of R.T. Jones’ remedial efforts, including appointing an information security manager, adopting a written information security policy, encrypting any PII stored on its network, installing a new firewall and logging system, and retaining a cybersecurity firm to provide ongoing reports and advice on the firm’s IT security.
Although In re R.T. Jones marks the first time the SEC has brought an enforcement action related to the failure to protect and ensure the integrity of client data, the action is part of the agency’s ongoing effort to improve regulated entities’ cybersecurity safeguards. Just one week earlier, the agency’s Office of Compliance Inspections and Examinations (“OCIE”) released a risk alert announcing that it plans to conduct a second round of cybersecurity sweep exams. According to OCIE, the new sweep is designed to build on the agency’s March 2014 exams, and will focus on several key controls: governance and risk assessments, access rights and controls, data loss prevention, vendor management, training, and incident response. The alert includes a sample list of information that OCIE may review during an exam, including policies, procedures, board minutes, briefings, incident summaries, risk assessments, and other information related to each of these areas. The requests, OCIE notes, often align with topics outlined in NIST’s 2014 Cybersecurity Framework.
As cybersecurity is now clearly one of the SEC’s top priorities, financial institutions should likewise make it theirs. Firms should ensure that they have written policies and procedures governing the protection of client PII, and should conduct regular testing and risk assessments to gauge the effectiveness of such measures against the constantly-changing threat landscape. It is also no longer enough for firms just to ensure the security of their own systems – they must also require vendors to maintain similar safeguards. Firms should consult with counsel to ensure that their own information security programs and their contracts with vendors contain adequate protections to withstand SEC scrutiny.