The Securities and Exchange Commission has sanctioned eight firms in three actions for failures in their cybersecurity policies and procedures.
According to an Aug. 30 announcement, the cybersecurity failures resulted in email account takeovers exposing the personal information of thousands of customers and clients at each of the firms.
The eight firms are Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera Entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. All were Commission-registered as broker dealers, investment advisory firms or both, the announcement notes. They have agreed to settle the charges, resulting in a collective $750,000 in fines.
The Penalties
The SEC’s orders against each of the firms finds that they violated Rule 30(a) of Regulation S-P—also known as the Safeguards Rule—which is designed to protect confidential customer information by requiring every broker-dealer and investment adviser registered with the Commission to adopt written policies and procedures.
The order against the Cetera Entities also finds that Cetera Advisors and Cetera Investment Advisers violated Section 206(4) of the Advisers Act and Rule 206(4)-7 in connection with their breach notifications to clients.
Without admitting or denying the findings, each firm agreed to cease and desist from future violations of the charged provisions, to be censured and to pay a penalty. The Cetera Entities will pay a $300,000 penalty, Cambridge will pay a $250,000 penalty and KMS will pay a $200,000 penalty.
“Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information,” Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit, said in a statement. “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
The Breaches
According to the SEC’s order against the Cetera Entities, between November 2017 and June 2020, cloud-based email accounts of more than 60 personnel were taken over by unauthorized third parties, resulting in the exposure of personally identifying information (PII) of at least 4,388 customers and clients. None of the accounts that were taken over were protected in a manner consistent with the Cetera Entities’ policies, the SEC notes.
The SEC’s order also finds that Cetera Advisors and Cetera Investment Advisers sent breach notifications to the firms’ clients that purportedly included misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents.
According to the SEC’s order against Cambridge, between January 2018 and July 2021, cloud-based email accounts of over 121 Cambridge representatives were taken over by unauthorized third parties, resulting in the PII exposure of at least 2,177 Cambridge customers and clients, the announcement explains.
Additionally, the SEC’s order finds that although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021. This, the SEC notes, resulted in the exposure and potential exposure of additional customer and client records and information.
Similarly, the SEC’s order against KMS explains that between September 2018 and December 2019, cloud-based email accounts of 15 KMS financial advisers or their assistants were taken over by unauthorized third parties, resulting in the PII exposure of approximately 4,900 KMS customers and clients.
The SEC’s order also finds that KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020, and did not fully implement those additional security measures firm-wide until August 2020, placing additional customer and client records at risk.
The examinations which led to the investigations were conducted by the Chicago Regional Office and the New York Regional Office with the assistance of the National Examination Program.
The SEC announced last March that its 2021 examination priorities will include a greater focus cybersecurity practices to safeguard customer accounts and prevent account intrusions. The SEC also cautioned in a September 2020 Risk Alert that it has observed an increase in cyberattacks against RIAs and BDs, and urged firms to remain vigilant and proactively address emergent cyber risks.
