To date, the SEC’s focus on cybersecurity has largely been relegated to providing guidance to registrants and learning about the state of cybersecurity preparedness through examinations. See “OCIE Risk Alert Provides Cybersecurity Guidance to Investment Advisers and Broker-Dealers,” Hedge Fund Law Report, Vol. 8, No. 37 (Sep. 24, 2015). One sign that the SEC may take action against firms that fail to follow that guidance, regardless of whether harm is alleged, is the recent settlement with investment adviser R.T. Jones Capital Equities Management, Inc. The firm suffered a cybersecurity breach that compromised information of over 100,000 retirement plan participants and has agreed to pay a $75,000 fine to settle the charges that it violated the Safeguards Rule under Regulation S-P. The SEC released a related Investor Alert offering guidance to individual investors who believe that their personally identifiable information has been compromised. This article provides the highlights of the SEC’s order and Investor Alert. For more on cybersecurity risks, regulations and preparedness, see our series covering a K&L Gates-IAA panel addressing “Cybersecurity Laws and Threats Applicable to Investment Managers (Part One of Two),” Hedge Fund Law Report, Vol. 8, No. 16 (Apr. 23, 2015); and “Cybersecurity Risk Mitigation Frameworks and Techniques for Investment Managers (Part Two of Two),” Vol. 8, No. 17 (Apr. 30, 2015).