The SEC’s Focus on Cybersecurity

Jessica Forbes is a corporate partner resident the New York office of Fried, Frank, Harris, Shriver & Jacobson LLP. This post is based on a Fried Frank publication authored by Ms. Forbes, Joanna D. Rosenberg, and Stacey Song.

On September 22, 2015, the Securities and Exchange Commission (the “SEC”) issued a cease-and-desist order (the “Order”) and settled charges against St. Louis-based investment adviser R.T. Jones Capital Equities Management (“R.T. Jones”) for failing to establish required policies and procedures to safeguard customer information in violation of Rule 30(a) of Regulation S-P (“Rule 30(a)”) under the Securities Act of 1933. [1]

Rule 30(a) requires every broker, dealer, investment company and registered investment adviser to adopt written policies and procedures reasonably designed to ensure the security and confidentiality of customer information and to protect customer information from anticipated threats or unauthorized access. According to the Order, from at least September 2009 through July 2013, R.T. Jones stored personal information of its clients and other persons on its third party-hosted web server without adopting any such written policies and procedures. In July 2013, a hacker gained access to the data on R.T. Jones’ web server, rendering the personal information of more than 100,000 individuals vulnerable to theft. In response to the cyber attack, R.T. Jones notified each individual whose information was compromised.

The Order states that R.T. Jones had not received reports that the cyber attack had resulted in financial harm to any client. Nevertheless, the SEC’s press release quotes the Co-Chief of the SEC Enforcement Division’s Asset Management Unit, Marshall S. Sprung, saying, “As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients. Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.” The Order specifically notes that R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt customer information stored on its server or maintain a response plan for cybersecurity incidents.

The Order’s emphasis on cybersecurity highlights the SEC’s heightened focus on the adoption and implementation of cybersecurity policies and procedures by registered investment advisers. In the past year and a half, the Office of Compliance Inspections and Examinations (“OCIE”) has published two Risk Alerts on cybersecurity [2] and the SEC has published a guidance update on cybersecurity [3] and hosted a Cybersecurity Roundtable. The most recent Risk Alert on cybersecurity, published by OCIE on September 15, 2015, announced OCIE’s intent to conduct a second cybersecurity sweep examination. The second cybersecurity sweep examination is expected to involve more information gathering and testing to assess implementation of firm cybersecurity procedures and other cybersecurity-related controls, and will focus on cybersecurity governance and risk assessment, access rights and controls, data loss prevention, vendor management, employee cybersecurity training and incident response.


[1] In the matter of R.T. Jones Capital Equities Mgmt., Inc., Advisers Act Release No. 4204 (September 22, 2015), available at; Press Release, Securities and Exchange Commission, SEC Charges Investment Adviser With Failing to Adopt Proper Cybersecurity Policies and Procedures Prior To Breach (September 22, 2015), available at
(go back)

[2] Office of Compliance Inspections and Examinations, OCIE’s 2015 Cybersecurity Examination Initiative, IV National Exam Program Risk Alert, September 15, 2015, available at Office of Compliance Inspections and Examinations, Cybersecurity Examination Sweep Summary, IV National Exam Program Risk Alert, February 3, 2015, available at
(go back)

[3] IM Guidance Update No. 2015-02 (April 2015), available at
(go back)

Both comments and trackbacks are currently closed.