SEC Settles With Eight Financial Firms Over Inadequate Cybersecurity Protections

On Monday, the Securities and Exchange Commission (SEC) sanctioned the companies for email account takeovers that exposed the personally identifying information (PII) of thousands of customers and clients at each registered broker dealer and/or investment advisory firm. According to the SEC’s press release, the companies failed to implement cybersecurity policies and procedures in violation of the Safeguards Rule, which aims to protect consumers’ personal data.

Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, Cetera); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS) were the respondents of the three actions and have all agreed to settle the charges. With regard to Cetera, the SEC’s order explains that for nearly three years, cloud-based email accounts of more than 60 employees were infiltrated by unauthorized third parties, exposing at least 4,388 clients PII.

The order found that none of the accounts featured the protections required by Cetera’s policies. In addition, the SEC charged two of the Cetera entities with sending breach notifications to clients containing “misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents,” in violation of Section 206(4) of the Advisers Act and Rule 206(4)-7.

The orders against Cambridge and KMS were similar. In the case of Cambridge, the commission concluded that exposed client data resulted from insufficient precautions. “[A]lthough Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021, resulting in the exposure and potential exposure of additional customer and client records and information,” the press release further explained.

The parties agreed to resolve the charges without admitting or denying the SEC’s findings. As part of the settlements, each firm agreed not to commit future violations of the charged provisions, to be censured and to pay a penalty, $300,000 for Cetera, $250,000 for Cambridge, and $200,000 for KMS.