The Securities and Exchange Commission says it has sanctioned eight firms for cybersecurity failures that compromised their clients' personal information.
Specifically, the firms have been sanctioned for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm.
The eight firms — which have agreed to settle the charges — are: various Cetera entities, namely Cetera Advisor Networks, Cetera Investment Services, Cetera Financial Specialists, Cetera Advisors and Cetera Investment Advisers; Cambridge Investment Research and Cambridge Investment Research Advisors; and KMS Financial Services. The firms are registered either as broker-dealers, registered investment advisor firms, or both.
Broker-dealers and RIA firms “must fulfill their obligations concerning the protection of customer information," Kristina Littman, chief of the SEC enforcement division's cyber unit, said in a statement. "It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."
The SEC says the firms violated Regulation S-P, also known as the Safeguards Rule, which is designed to protect confidential customer information.
The SEC's order against the Cetera entities adds that Cetera Advisors and Cetera Investment Advisers violated the Investment Advisers Act of 1940 and Rule 206(4)-7 in connection with their breach notifications to clients.
Without admitting or denying the SEC's findings, each firm agreed to cease and desist from future violations of the charged provisions, to be censured and to pay a penalty. The penalties total $300,000 for the Cetera entities, $250,000 for Cambridge and $200,000 for KMS.
The SEC says that between November 2017 and June 2020 cloud-based email accounts of more than 60 Cetera entities' personnel were taken over by unauthorized third parties, resulting in the exposure of personally identifying information of at least 4,388 customers and clients. None of the compromised accounts were protected in a manner consistent with the Cetera entities' policies, according to the SEC.
The SEC added that Cetera Advisors and Cetera Investment Advisers sent breach notifications to the firms' clients that included misleading language suggesting that the notifications were issued much sooner than they actually were after the discovery of the incidents.
The SEC says that between January 2018 and July 2021 cloud-based email accounts of more than 121 Cambridge representatives were taken over by unauthorized third parties, resulting in the PII exposure of at least 2,177 Cambridge customers and clients. Although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021, resulting in the exposure and potential exposure of additional customer and client records and information, according to the SEC.
The SEC says that between September 2018 and December 2019 cloud-based email accounts of 15 KMS financial advisers or their assistants were taken over by unauthorized third parties, resulting in the PII exposure of around 4,900 KMS customers and clients. KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020, and did not fully implement those additional security measures firm-wide until August 2020, placing additional customer and client records and information at risk, according to the SEC.
Editor's Note: This article was originally published as a breaking news article on Aug. 30, 2021.
Do you have a news tip you’d like to share with FA-IQ? Email us at firstname.lastname@example.org.