SEC Settles With Eight Firms Over Inadequate Cybersecurity Measures

The US Securities and Exchange Commission (SEC) has settled charges with eight investment firms for allegedly failing to adopt and implement written policies and procedures designed to protect customer records and information. The regulator claims the failures allowed email account takeovers that exposed the personal information of thousands of customers and clients.

The eight firms are Cambridge Investment Research Inc., Cambridge Investment Research Advisors Inc., Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, Cetera Investment Advisers LLC, and KMS Financial Services Inc. All are registered with the SEC as broker/dealers (B/Ds), investment advisory firms, or both.

According to the SEC’s cease-and-desist order against Cambridge Investment Research and Cambridge Investment Research Advisors, cloud-based email accounts of more than 120 company employees were taken over by unauthorized third parties between January 2018 and July 2021, which exposed the personally identifiable information of nearly 2,200 Cambridge clients. The SEC alleged that Cambridge did not adopt and implement enhanced security measures for cloud-based email accounts of its representatives until 2021, despite knowing about the first email account takeover more than three years earlier.

The SEC also alleged that cloud-based email accounts of more than 60 employees of the five Cetera companies were commandeered by unauthorized third parties between November 2017 and June 2020, exposing the personal information of nearly 4,400 clients. According to the cease-and-desist order against the Cetera firms, none of the accounts taken over were protected in a way that was consistent with the companies’ policies.

The SEC also alleged that Cetera Advisors and Cetera Investment Advisers sent breach notifications to their clients that included misleading language suggesting they revealed the breach much sooner after its discovery than they actually did.

The regulator also alleged that the cloud-based email accounts of 15 KMS financial advisers or their assistants were taken over by unauthorized third parties between September 2018 and December 2019, which led to the exposure of approximately 4,900 clients’ information. The SEC said KMS waited until May 2020 to adopt written policies and procedures requiring additional security measures and that it didn’t fully implement them until three months later.

“Investment advisers and broker/dealers must fulfill their obligations concerning the protection of customer information,” Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit, said in a statement. “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

The SEC alleges that each of the eight firms violated the so-called “Safeguards Rule,” which is intended to protect confidential customer information. Without admitting or denying the SEC’s findings, each firm agreed to be censured and pay a penalty, and to cease and desist from future violations of the charged provisions. The Cetera companies will pay a $300,000 penalty; the Cambridge firms will pay a $250,000 penalty; and KMS will pay a $200,000 penalty.

The SEC announced in March that it would examine whether investment firms are able to manage cyber risk as office workers continue to work from home. The securities regulator said it would scrutinize their ability to protect investors’ identities, prevent unauthorized access of accounts, and defend against phishing or ransomware attacks.