New front opened in cybersecurity wars

New front opened in cybersecurity wars

Recently the SEC has made moves that show their willingness to put muscle into cybersecurity guidance. The SEC announced an agreement with St. Louis-based investment company, RT Jones Capital Equities Management, to settle charges that the company failed to adequately safeguard the personal information of approximately 100,000 individuals. Consistent with this trend, the SEC has announced that its Office of Compliance Inspections and Examinations would be conducting a second round of investigations into the cybersecurity practices of brokerage and advisory firms. These move signal the SEC’s increasing scrutiny of investment firms’ information security practices and indicate the regulator’s willingness to enforce the guidance that it has issued.

Penalties for inadequate protection of information

The reason for the SEC’s skepticism of the cybersecurity measures that companies like RT Jones has in place is because they have been faulted with allowing almost 100,000 accounts to be compromised. These accounts were unencrypted and stored on third-party servers. The SEC wants companies, such as RT Jones, to implement more adequate and better cybersecurity policies. Because of this breach of information the SEC fined RT Jones $75,000, and were also ordered to take specific remedial measures such as

  • Appointing an information security manager responsible for data security and protection of PI
  • Adopting and implementing an information security policy
  • Not storing the PI on the remote server
  • Encrypting the PI stored on the internal network

The SEC recently announced that it would be doing a second round of investigations into the cybersecurity practices of financial service firms. The SEC inquiries will be to gather information on cybersecurity related controls and to asses implementation of certain firm controls in the following categories:

  • Governance and risk assessment
  • Access rights and controls
  • Data loss prevention
  • Vendor management
  • Training
  • Incident response

Judging from the measures that the SEC is beginning to take it is in the best interest of financial service firms to begin implementing better securities to protect their servers and the account information of their customers.

 

If you have any questions or concerns, or are in need of legal advice or representation, please contact Lvovich and Szucsko or call 415-392-2560.