Despite this lack of clear harm to RT Jones’ clients, the SEC brought an enforcement action under Rule 30 of Regulation S-P for failure to implement safeguards designed to protect personally identifiable information. In particular, the SEC focused on the failure to:
- conduct periodic risk assessments
- implement a firewall
- encrypt the personally identifiable information or
- adopt a cybersecurity incident response plan.
In determining the penalty, the SEC noted RT Jones’ subsequent remedial efforts, including adopting a cybersecurity policy, ceasing to store personally identifiable information on its webserver and encrypting of its personally identifiable information in its internal network.
The enforcement action against RT Jones is likely a preview of future SEC enforcement against investment advisers and broker dealers. Firms should carefully construct cybersecurity policies and procedures, and review cybersecurity practices to ensure that information security measures are consistent with the emerging standard of care to be enforced by the SEC.