The Securities and Exchange Commission has sanctioned eight firms for having deficient cybersecurity policies and procedures that resulted in email account takeovers that exposed the personal information of thousands of customers.
The eight firms, which have agreed to settle the charges, are Cetera Advisor Networks, Cetera Investment Services, Cetera Financial Specialists, Cetera Advisors, Cetera Investment Advisers, Cambridge Investment Research, Cambridge Investment Research Advisors, and KMS Financial Services. All were registered as broker-dealers, investment advisory firms, or both.
According to the SEC’s order against the Cetera entities, between November 2017 and June 2020, the cloud-based email accounts of more than 60 Cetera personnel were taken over by unauthorized third parties, exposing personally identifying information of at least 4,388 customers and clients. None of the accounts were protected in a manner consistent with the Cetera entities’ policies, the SEC said.
The SEC claims that Cetera Advisors and Cetera Investment Advisers sent breach notifications to its clients that included misleading language suggesting that the notifications were issued “much sooner” than they actually were after discovering the incidents.
According to the SEC’s order against Cambridge, between January 2018 and July 2021, the cloud-based email accounts of 121 Cambridge representatives were taken over, resulting in the exposure of at least 2,177 customers and clients.
The SEC claims that although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts until 2021, resulting in the exposure and potential exposure of additional client records and information.
According to the order against KMS, between September 2018 and December 2019, the email accounts of 15 KMS financial advisers or their assistants were taken over, resulting in the exposure of approximately 4,900 customers and clients.
The SEC claims that KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020 and did not fully implement those additional security measures firm-wide until August 2020.
“Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information,” said Kristina Littman, chief of the SEC enforcement division’s cyber unit. “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
Without admitting or denying the SEC’s findings, each firm agreed to cease and desist from future violations, to be censured, and to pay a penalty.
The Cetera entities will pay a $300,000 penalty, Cambridge will pay $250,000, and KMS will pay $200,000.