The Securities and Exchange Commission has settled charges against a St. Louis investment firm that allowed Chinese hackers to steal data on more than 100,000 clients, even though no financial harm was inflicted upon those clients.
The investment company, R.T. Jones, stored personal identifying information on its clients on a third-party server without taking basic precautions to safeguard it, according to the SEC, which said the company “failed to conduct periodic risk assessments, implement a firewall, encrypt [personal identifying information] stored on its server, or maintain a response plan for cybersecurity incidents.”
R.T. Jones agreed to be censured and to pay a $75,000 penalty to settle the case.
“As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients,” said Marshall Sprung, who leads the enforcement division of the SEC.
In August, the FBI issued an alert on email fraud perpetrated against attorneys, real estate agents, and financial service companies, due to their access to client lists and financial information. Such fraud is generally initiated by hackers based in China, who first steal information from financial representatives and then impersonate them in order to defraud their clients.
The agency reported that such scams cost individuals in the U.S. $700,000 in the second quarter of 2015 alone. As a result, the feds are cracking down on companies that fail to secure data. Sprung added that in order to be compliant, “firms must adopt written policies to protect their clients’ private information … anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
R.T. Jones failed to implement any of the measures that Sprung delineated, but did hire several cybersecurity firms to investigate the incident after it took place.
