In a move that observers are describing as the US Securities and Exchange Commission (SEC) setting a stricter tone on registered advisers’ duty to thwart cybercriminals, the agency has brought rare cybersecurity-related charges against a mid-size retail fund manager based in Missouri.
The charges come just weeks ahead of a cybersecurity sweep that is expected to target more than 100 unidentified registered broker-dealers and advisers.
The SEC cited its “safeguards rule,” which requires GPs to protect client data, to bring charges against RT Jones Capital Equities Management for failing to adopt sufficient cybersecurity policies and procedures. Only in two other instances (in cases against broker-dealer PL Financial Corporation in 2008 and stock trading firm Commonwealth Equity in 2009) has the SEC cited the rule in enforcement action, a source close to the agency said.
“The charges mark a shift in cybersecurity from being a general fiduciary duty into a stricter, statutory-based requirement of registered investment advisers,” said Schulte Roth & Zabel attorney Brian Daly, a private funds regulation specialist.
Chinese hackers stole personal data from thousands of RT Jones clients hosted by a third-party vendor, which legal sources say is a warning to all GPs that outside IT service providers must be regularly monitored and assessed for cybersecurity readiness. Only one in three registered advisers requires cybersecurity risk assessments of third-party vendors with access tofirm networks, according to findings from a prior SEC cybersecurity sweep completed earlier this year. “Outsourcing cybersecurity doesn’t mean you no longer have to give it the same level of review as you would in-house,” said Daly.
Importantly, there was no indication that the breach resulted in any financial harm to investors, suggesting that the commission sees the loss of data as reason enough to issue fines. RT Jones agreed to be censured and pay a $75,000 penalty for the breach.
RT Jones took a number of steps post-breach that did not prevent the SEC from taking enforcement action. After discovering the breach, RT Jones hired a cybersecurity consultant to determine the scope of the attack and provided notice of the breach to clients. RT Jones, which manages about $480 million in assets, additionally offered free identity theft monitoring services to its approximately 8,400 client accounts post-breach.
“Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs,” said in a statement Marshall Sprung, co-chief of the agency’s Asset Management Unit, a division of enforcement.
Accompanying the SEC order is a new investor alert from the agency’s Office of Investor Education and Advocacy titled, “Identity Theft, Data Breaches, and Your Investment Accounts.” The alert offers steps for investors to take regarding their investment accounts if they become victims of identity theft or a data breach.
If you do not receive this within five minutes, please try to sign in again. If the problem persists, please email: