The U.S. Securities and Exchange Commission (SEC) announced that it has settled allegations against St. Louis-based R.T. Jones Capital Equities Management Inc., which was charged in connection with a cybersecurity breach that potentially exposed the personal data of 100,000 people, including thousands of the firm’s clients, to theft.
According to the SEC, an unknown hacker attacked the firm’s web server in July 2013, exposing the personal data of thousands of people. After the firm discovered the breach, it retained more than one cybersecurity consulting firm to confirm the attack, which was traced to China. R.T. Jones then contacted all of the affected individuals and provided them with free identity theft monitoring. So far, the SEC reports that the firm has not received any indications of a client suffering financial harm as a result of the cyber attack.
Nevertheless, the SEC now charges that the firm violated federal securities laws by failing to protect customer records and information. The regulator alleges that the firm failed to fully adopt policies and procedures reasonably designed to safeguard customer information, including failing to conduct periodic risk assessments, implement a firewall, encrypt personal data stored on its server, or maintain a response plan for cybersecurity incidents.
The firm agreed to settle the case without admitting or denying the SEC’s findings. In settling the charges, it agreed to cease and desist from committing any future violations, to be censured and to pay a US$75,000 penalty.
“As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” says Marshall Sprung, co-chief of the SEC enforcement division’s asset-management unit, in a statement. “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
The SEC’s Office of Investor Education and Advocacy also published a new investor alert on Tuesday, warning clients about the risk of identity theft and providing advice for investors regarding their accounts if they become victims of identity theft or a data breach.