St. Louis-based investment advisory firm R.T. Jones Capital Equities Management was charged by the SEC with failure to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm's clients.
Federal securities laws require that registered investment advisors put in place written policies and procedures that are reasonably designed to safeguard customer records and information.
Recommended For You
An SEC investigation found, however, that for nearly four years the firm violated the "safeguards rule" by failing to have any policies and procedures that would ensure the security and confidentiality of PII and protect it from anticipated threats or unauthorized access.
According to the agency, R.T. Jones stored sensitive PII of clients and others on its third party-hosted Web server from September 2009 to July 2013, when it was attacked by a hacker who got hold of access and copy rights to data on the server.
That included the PII of more than 100,000 people, including thousands of the firm's clients, making the data vulnerable to theft.
Among other failures, R.T. Jones didn't conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.
On the plus side, the firm brought in multiple cybersecurity consulting firms after the attack, notified affected individuals of the breach and offered free identity theft monitoring through a third-party provider.
The firm so far has not received any notification of a client suffering financial harm as a result of the hack.
Without admitting or denying the SEC's charges, R.T. Jones has agreed to be censured and pay a $75,000 penalty.
The SEC has also announced that its Office of Investor Education and Advocacy has published a new Investor Alert, "Identity Theft, Data Breaches, and Your Investment Accounts."
The alert, also available on Investor.gov, the SEC's website for individual investors, offers steps for investors to take regarding their investment accounts if they become victims of identity theft or a data breach.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
