NEW YORK (Reuters) - The U.S. Securities and Exchange Commission plans to bring more cases against investment advisers who do not have policies to prevent hacking, the agency’s enforcement chief said on Thursday.
The SEC is targeting advisers in cyber-related cases that focus on regulatory obligations to keep customers’ information private, said Andrew Ceresney, head of the SEC’s enforcement division.
In September, the SEC slapped St. Louis-based investment advisory firm R.T. Jones Capital Equities with a $75,000 fine, alleging it failed “entirely” to protect clients from a July 2013 cyber attack, later traced to China.
While the firm is small, the origin of the attack and cyber security concerns generated attention.
“There will be more cases like that,” Ceresney said at a conference for lawyers. He declined to comment on the timing or the number of cases in the SEC’s pipeline.
The SEC is one of many U.S regulators that have ramped up scrutiny of cyber security over the past few years in the wake of high-profile attacks against public companies like Target and Home Depot, in addition to banks such as JPMorgan Chase.
SEC regulations require, among other things, that investment advisers to have policies and procedures in place to secure clients’ personal information, such as social security numbers, and to curb the risk of cyber intrusions.
In the R.T. Jones case, the firm did not have written policies and procedures to safeguard customer data between September 2009 and July 2013, according to the SEC. The firm notified affected parties and offered free credit monitoring after the breach was discovered.
No customer reported suffering any financial harm as a result of the attack, according to the SEC.
Additional reporting by Sarah N. Lynch; Editing by Jeffrey Benkoe