On September 22, the Securities and Exchange Commission (“SEC”) announced an important cybersecurity enforcement action that has broad implications to registered investment advisers. In a Settlement Order, the SEC found R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, “willfully violated” the Safeguards Rule. From September 2009 through July 2013, the firm stored unencrypted, sensitive personally identifiable information (“PII”) of clients and others on its unencrypted, third party-hosted, web server.
In requiring that brokers-dealers, investment companies, and registered investment advisers guard against cybersecurity breaches, the SEC has relied on its authority under Sections 501, 504, and 505 of the Gramm-Leach-Bliley Act of 1999, to create the new regulations. The “Safeguard Rule” is Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)). Enforcement actions initiated by the SEC relating to computer security are often grounded in violations of the Safeguard Rule.