(Updates with background, details on the case, in paragraphs
4-14)
By Sarah N. Lynch
WASHINGTON, Sept 22 A St. Louis-based investment
advisory firm will pay $75,000 to settle civil charges alleging
it failed "entirely" to protect its clients from a July 2013
cyber attack that was later traced to China, U.S. regulators
said on Tuesday.
The Securities and Exchange Commission said R.T. Jones
Capital Equities Management did not even encrypt its customers'
data or install a firewall on its servers, and the hack
compromised the personal details of about 100,000 people.
No customer has reported suffering any financial harm as a
result of the attack, the SEC added.
Neither an attorney nor a representative for the firm could
be reached for comment.
R.T. Jones is a relatively small advisory firm, with only
about $481 million in assets under management as of June,
according to a filing with the SEC.
But the cyber security concerns at issue in the case, as
well as the origin of the attack, are likely to generate
attention.
In recent years, high-profile companies including Target
Corp and JPMorgan Chase & Co have been hit in
hack attacks.
In some cases, Chinese hackers have been implicated in
various cyber crimes, including a major breach at the U.S.
Office of Personnel Management disclosed earlier this year.
The topic of cyber spying is expected to come up when
President Barack Obama meets with Chinese President Xi Jinping
in Washington.
The SEC's charging documents against R.T. Jones say the hack
was traced to mainland China by a cyber-security consulting
firm. The full nature of the breach could not be determined
because the hacker destroyed digital log files.
The agency said the breach was discovered at the firm's
third party-hosted Web server.
From September 2009 through July 2013, the SEC said, the
firm did not have written policies and procedures to safeguard
customer data. After the breach was discovered, it notified
affected parties and offered free credit monitoring.
A brochure that R.T. Jones filed with the SEC in June
promises that the firm has "physical, electronic, and procedural
safeguards" to protect personal information.
The SEC has been ramping up its focus on cyber security
protections at Wall Street firms. About a year ago, it conducted
a series of compliance exams at advisers and brokerages to make
sure they had adequate policies to protect against cyber crime.
(Reporting by Sarah N. Lynch; additional reporting by Ross
Kerber in Boston; Editing by Peter Cooney and Mohammad Zargham)