(Updates with background, details on the case, in paragraphs 4-14)
By Sarah N. Lynch
WASHINGTON, Sept 22 (Reuters) - A St. Louis-based investment advisory firm will pay $75,000 to settle civil charges alleging it failed “entirely” to protect its clients from a July 2013 cyber attack that was later traced to China, U.S. regulators said on Tuesday.
The Securities and Exchange Commission said R.T. Jones Capital Equities Management did not even encrypt its customers’ data or install a firewall on its servers, and the hack compromised the personal details of about 100,000 people.
No customer has reported suffering any financial harm as a result of the attack, the SEC added.
Neither an attorney nor a representative for the firm could be reached for comment.
R.T. Jones is a relatively small advisory firm, with only about $481 million in assets under management as of June, according to a filing with the SEC.
But the cyber security concerns at issue in the case, as well as the origin of the attack, are likely to generate attention.
In recent years, high-profile companies including Target Corp and JPMorgan Chase & Co have been hit in hack attacks.
In some cases, Chinese hackers have been implicated in various cyber crimes, including a major breach at the U.S. Office of Personnel Management disclosed earlier this year.
The topic of cyber spying is expected to come up when President Barack Obama meets with Chinese President Xi Jinping in Washington.
The SEC’s charging documents against R.T. Jones say the hack was traced to mainland China by a cyber-security consulting firm. The full nature of the breach could not be determined because the hacker destroyed digital log files.
The agency said the breach was discovered at the firm’s third party-hosted Web server.
From September 2009 through July 2013, the SEC said, the firm did not have written policies and procedures to safeguard customer data. After the breach was discovered, it notified affected parties and offered free credit monitoring.
A brochure that R.T. Jones filed with the SEC in June promises that the firm has “physical, electronic, and procedural safeguards” to protect personal information.
The SEC has been ramping up its focus on cyber security protections at Wall Street firms. About a year ago, it conducted a series of compliance exams at advisers and brokerages to make sure they had adequate policies to protect against cyber crime. (Reporting by Sarah N. Lynch; additional reporting by Ross Kerber in Boston; Editing by Peter Cooney and Mohammad Zargham)