SEC fines Firms with inadequate Cybersecurity Practices

The Securities and Exchange Commission (SEC) has sanctioned eight firms for failures in their cybersecurity practices.

These cybersecurity incompetencies led to the email account takeovers, where the personal information of a number of customers and clients at each of the firms was exposed as a result. 

The eight firms include Cetera Entities, including Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC, along with Cambridge firms including Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc., and KMS Financial Services Inc. These all were Commission-registered as broker dealers, investment advisory firms, or both. After the claim, these firms agreed upon the settlement of the charges.

According to the SEC’s orders, each of the firms violated Rule 30(a) of Regulation S-P, which is also known as the Safeguards Rule. This rule is designed to secure customers’ confidential information where every broker-dealer and investment adviser registered with the Commission has to adopt written policies and procedures. 

In regard to the violations, the Cetera Entities will pay $300,000 as a penalty, Cambridge will pay $250,000 as a penalty, and KMS will pay $200,000.

In a statement, Chief of the SEC Enforcement Division’s Cyber Unit Kristina Littman stated that Investment advisers and broker dealers should fulfill their obligations related to securing the customer information. It was also added that only writing a policy requiring enhanced security measures is not enough if the requirements are not fully implemented, especially in the case of known attacks.

As per the SEC’s order against the Cetera Entities, cloud-based email accounts of above 60 personnel were accessed by unauthorized third parties between November 2017 and June 2020. This resulted in exposing personally identifying information (PII) of around 4,388 customers and clients. The SEC records that the accounts taken over were not protected according to their policies.

The SEC also fined Cetera Advisors and Cetera Investment Advisers for sending notifications to customers, which misled them regarding how early they were informed of the breaches after they occurred.

The announcement also explains that between January 2018 and July 2021, cloud-based email accounts of more than 121 Cambridge reps were taken over by third parties. This resulted in the PII exposure of 2,177 Cambridge customers and clients.  

Similarly, the SEC’s charge against KMS states that between September 2018 and December 2019, cloud-based email accounts of around 15 KMS financial advisers were taken over by third parties. This resulted in the PII exposure of around 4,900 KMS customers and clients. 

Moreover, KMS failed to follow written policies and procedures requiring additional firm-wide security measures, placing customer and client records at risk.

The analyses were directed by the Chicago Regional Office and the New York Regional Office with the assistance of the National Examination Program. 

Also Read: Single-factor authentication enters the list of Bad Practices