By Natalie DeCoste

The Securities and Exchange Commission (SEC) announced sanctions on Aug. 30 against eight firms in three actions for failures in their cybersecurity policies and procedures. The SEC said the failures in cybersecurity policies and procedures resulted in email account takeovers that exposed the personal information of thousands of customers and clients at each firm. 

The eight firms involved in the security failures are Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera Entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS). All the firms are Commission-registered as broker-dealers, investment advisory firms, or both.

The SEC’s orders against each firm found that they violated Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, designed to protect confidential customer information. All firms have agreed to settle with the SEC, resulting in a collective $750,000 in fines. The settlement means the companies are not admitting or denying the SEC’s findings. 

Each firm agreed to cease and desist from future violations of the charged provisions, be censured, and pay a penalty. The Cetera entities will pay a $300,000 penalty; Cambridge will pay a $250,000 penalty; KMS will pay a $200,000 penalty.

“Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information. It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit.

According to the SEC’s order against the Cetera entities, the security breaches in the company’s cloud-based email accounts occurred between November 2017 and June 2020. The breaches impacted the email accounts of over 60 Cetera Entities employees. The accounts were taken over by unauthorized third parties, resulting in the exposure of personally identifying information of at least 4,388 customers and clients of Cetera.

None of the affected email accounts were protected in a manner consistent with Cetera Entities’ security policies. The SEC investigation also revealed that Cetera Advisors LLC and Cetera Investment Advisers LLC sent breach notifications to the firms’ clients, including misleading language suggesting that the notifications were issued much sooner than they were after discovering the incidents.

According to the SEC’s order against Cambridge, the breaches of the company’s cloud-based email accounts occurred between January 2018 and July 2021. The breaches impacted over 121 Cambridge representatives whose accounts were taken over by unauthorized third parties, resulting in the exposure of personally identifying information of at least 2,177 Cambridge customers and clients. 

In the order, it was revealed that while Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for the cloud-based email accounts of its representatives until 2021. This failure resulted in the exposure and potential exposure of additional customer and client records and information.

For the order against KMS, breaches of the company’s cloud-based email accounts for 15 KMS financial advisers or their assistants occurred between September 2018 and December 2019. The result was the exposure of personally identifying information of at least 4,900 KMS customers and clients. 

Furthermore, the order finds that KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020. Those additional security measures were not fully implemented firm-wide until August 2020, placing customer and client records and information at risk.