The U.S. Securities and Exchange Commission charged three financial services companies for failing to uphold cybersecurity procedures, which resulted in the exposure of thousands of customers' personal information.
The SEC announced Monday it sanctioned the broker-dealer and investment advisory firms in three actions for cybersecurity failures after threat actors gained unauthorized access to personally identifiable information (PII) for customers and clients by hacking into cloud-based email accounts. The three companies, Cetera Financial Group, Cambridge Investment Research and KMS Financial Services Inc., have agreed to settle the charges without admitting to or denying the SEC's findings. Individual fines waver from $200,000 to $300,000.
The findings include violations against regulations designed to protect confidential customer information like the Safeguards Rule, as well as improper breach notification to clients. The Safeguards Rule requires every broker-dealer and investment adviser registered with the SEC to adopt written policies and procedures reasonably designed to safeguard customer records and information.
Cetera is charged with neglecting both. According to the SEC filing, between November 2017 and June 2020, "accounts of over 60 Cetera Entities' personnel were taken over by unauthorized third parties, resulting in the exposure of … PII of at least 4,388 customers and clients." In its findings, the SEC said none of the hacked accounts were protected in a manner consistent with Cetera policies.
Additionally, the order found that Cetera Advisors LLC and Cetera Investment Advisers LLC sent breach notifications to the firms' clients that included "misleading template language suggesting that the notifications were issued much sooner than they actually were after the discovery of the incidents." According to the litigation, "the breach notifications referred to the incidents as 'recent' and stated that the representatives had 'learned that an unauthorized individual gained access' to the recipient's PII two months before the breach notification." However, the order stated, each firm had learned of the breach at least six months earlier.
For one of Cetera's firms, it was not the first run-in with the SEC. In August 2019, Cetera Advisors LLC was charged with "breaching its fiduciary duty and defrauding its retail advisory clients by, among other things, failing to disclose conflicts of interest related to the firm's receipt of over $10 million in undisclosed compensation."
Cetera declined to comment on the charges of deficient cybersecurity procedures.
The incident which led to the sanction of Cambridge Investment Research occurred between January 2018 and July of this year. In that timespan, email accounts of over 121 Cambridge representatives were taken over, resulting in the PII exposure of at least 2,177 customer and clients.
"The SEC's order finds that although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021, resulting in the exposure and potential exposure of additional customer and client records and information," the press release said.
In an email to SearchSecurity, Cambridge said it does not comment on regulatory matters, but it has and does maintain a comprehensive information security group and procedures to ensure clients' accounts are fully protected.
Seattle-based broker KMS, which was acquired by Ladenburg Thalmann and Co. Inc. in 2014, is being charged after the email accounts of 15 advisors, or their assistants, were accessed from September 2018 to December of 2019. The attack resulted in the PII exposure of approximately 4,900 KMS customers and clients.
According to the press release, the SEC order found that "KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020, and did not fully implement those additional security measures firm-wide until August 2020, placing additional customer and client records and information at risk." In the litigation, the SEC said "it was approximately 21 months after discovery of the first breach, in which approximately 2,700 emails of one KMS financial adviser were exposed for a period of 26 days during which unauthorized third parties forwarded the financial adviser's emails to an email address outside of the firm."
Part of KMS' written policy and procedures, according to the filing, state that financial advisers were obligated to adhere to KMS' Computer and Network Security Policies (CNSP). While the CNSP required maintaining strong passwords, the use of antivirus and secure wireless networks, it did not require the use of multifactor authentication for accessing sensitive data.
KMS did not respond to requests for comment.
While the SEC does engage in cyber enforcement actions, Monday's announcement stands out for its focus on failures protecting customer data. Many companies and individuals recently sanctioned by SEC cyber enforcement actions have allegedly defrauded customers and defied financial regulations regarding cryptocurrency, initial coin offerings, selling digital assets and more.
For example, in October of last year, the SEC charged the late John McAfee for promoting investments in initial coin offerings to his Twitter followers without disclosing that he was paid to do so. Combined with indictments from the Department of Justice, McAfee was subsequently arrested. Actor Steven Seagal also made the list for failing to disclose payments he received for promoting an investment in an initial coin offering.