A St. Louis-based RIA will pay a $75,000 fine to settle charges that it failed to protect clients from a Chinese cyber attack.
The U.S. Securities and Exchange Commission alleges that R.T. Jones Capital Equities Management had no formal cybersecurity policy at the time of the breach, which exposed personal information of more than 100,000 individuals to hackers.
According to the SEC’s settlement order, R.T. Jones used a third party-hosted web server from September 2009 through July 2013 to store participants’ personal information.
In July 2013, the server was attacked by unknown hackers who gained access and copyrights to the data, rendering the personally identifiable information vulnerable to theft, according to the SEC.
To facilitate client verification, plan sponsors provided R.T. Jones with information on all of their plan participants — thus, even though R.T. Jones had fewer than 8,000 plan participant clients, the web server contained personal information on over 100,000 individuals.
After the breach, R.T. Jones notified every individual whose information may have been compromised and offered free identity theft monitoring. To date, there have been no indications of a client suffering harm due to the cyber attack.
The SEC claims that R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt participants’ personal information stored on its server, or maintain a response plan for cybersecurity incidents. Furthermore, the firm had failed to adopt written cyber security policies and procedures in-line with federal rules at the time of the breach.
In the aftermath of the attack, R.T. Jones appointed an information security manager to oversee data security and protect participants’ information, installed a new firewall and adopted a written information security policy. R.T. Jones has also retained a cybersecurity firm to provide ongoing reports and advice on the its IT security — efforts the SEC noted in its order.
The SEC also published a timely Investor Alert on Tuesday warning of cyber attacks and identity theft involving investment accounts.