SEC fines brokers, investment advisory groups for cyber violationsPosted On: Aug. 31, 2021 2:53 PM CST
The U.S. Securities and Exchange Commission said Monday it has levied fines totaling $750,000 against three broker-dealers/investment advisory groups for cybersecurity policy failures that resulted in email account takeovers exposing the personal information of thousands of customers and clients.
Eight companies representing three groups were charged by the SEC with violating federal securities law and sanctioned:
- El Segundo, California-based Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC and Cetera Investment Advisers, collectively the Cetera entities.
- Fairfield, Iowa-based Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc., collectively Cambridge.
- Seattle-based KMS Financial Services.
All three groups were registered as broker-dealers/investment advisory firms, or both.
The SEC said in its statement that the cloud-based email accounts of more than 60 Cetera entities’ personnel were taken over by unauthorized third parties between November 2017 and June 2020, resulting in the personally identifying information of at least 4,388 customers’ and clients’ exposure.
The agency said breach notifications sent by Cetera Advisors and Cetera Investment Advisors included misleading information suggesting the notifications were issued much sooner than they actually were after the incidents’ discovery.
The SEC recently has cracked down on companies it deems to have breached securities laws by making inadequate cybersecurity disclosures, and it’s expected to continue to pursue enforcement activity.
Cetera will pay a $300,00 penalty, the SEC said.
The SEC’s order against Cambridge said between January 2018 and July 2021 cloud-based email accounts of more than 121 Cambridge representatives were taken over by unauthorized third parties, resulting in the release of personally identifying information of at least 2,177 Cambridge customers and clients.
It said although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for its representatives’ cloud-based email accounts until 2021, which resulted in the exposure and potential exposure of additional customer and clients records and information. The SEC said Cambridge will pay a $250,000 penalty.
In KMS’ case, the SEC said cloud-based email accounts of 15 of its advisers or their assistants were taken over by unauthorized third parties between September 2018 and December 2019, resulting in the personally identifying information exposure of about 4,900 customers and clients.
It said KMS also did not adopt policies and procedures requiring firmwide security measures until May 2020 and did not fully implement those additional security measures firmwide until August 2020, putting additional data at risk. The SEC said KMS will pay a $200,000 penalty.
A Cambridge spokesman said in a statement, it “does not comment on regulatory matters. Cambridge has and does maintain a robust information security group and procedures to ensure client’s accounts are fully protected.” Contacts at the other companies could not be located.