A St. Louis-based investment adviser has been charged with failing to adequately protect its web server, exposing it to a cyber attack that compromised the personal data of thousands of clients.
The July 2013 breach has not resulted in any financial harm to a client of R.T. Jones Capital Equities Management. But the U.S. Securities and Exchange Commission said Tuesday the firm violated the “safeguards rule” requiring registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information.
Among other things, R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt personal data stored on its server, or maintain a response plan for cyber security incidents, the SEC alleged in an administrative order.
“As a result of the attack, the [personal identifying information] of more than 100,000 individuals, including thousands of R.T. Jones’s clients, was rendered vulnerable to theft,” the order said.
The firm has about 8,400 client accounts and about $480 million in assets under management. To settle the SEC’s charges, it agreed to be censured and pay a $75,000 penalty.
“As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” Marshall S. Sprung, co-chief of the SEC enforcement division’s asset management unit, said in a news release.
“Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cyber security events and have clear procedures in place rather than waiting to react once a breach occurs,” he added.
According to the SEC, R.T. Jones stored personal information of clients and others on a third party-hosted web server from September 2009 to July 2013. The server was attacked by an unknown hacker who gained access and copy rights to the data on the server.
Soon after R.T. Jones discovered the breach, it retained more than one cyber security firm to confirm the attack, which was traced to China, and notified every individual whose personal information may have been compromised.