What You Need to Know
- Cetera, Cambridge and KMS Financial were sanctioned.
- Failures in their cybersecurity policies and procedures resulted in email account takeovers.
- Thousands of clients' personal information was exposed.
The Securities and Exchange Commission Monday sanctioned several firms — including Cetera and Cambridge Investment Research — for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm.
The eight firms, which have agreed to settle the charges, are:
- Cetera Advisor Networks LLC;
- Cetera Investment Services LLC;
- Cetera Financial Specialists LLC;
- Cetera Advisors LLC;
- Cetera Investment Advisers LLC;
- Cambridge Investment Research Inc.;
- Cambridge Investment Research Advisors Inc.; and
- KMS Financial Services Inc. (which is now part of Advisor Group).
All were registered with the SEC as broker-dealers, investment advisory firms, or both.
The Cetera entities will pay a $300,000 penalty; Cambridge will pay a $250,000 penalty; and KMS will pay a $200,000 penalty.
According to the SEC’s order against the Cetera Entities, between November 2017 and June 2020, cloud-based email accounts of over 60 Cetera entities’ personnel were taken over by unauthorized third parties, resulting in the exposure of personally identifying information of at least 4,388 clients.
None of the taken over accounts were protected in a manner consistent with the Cetera entities’ policies, the SEC said.
Other Details of SEC Order
The SEC’s order also finds that Cetera Advisors and Cetera Investment Advisers “sent breach notifications to the firms’ clients that included misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents.”
According to the SEC’s order against Cambridge, between January 2018 and July 2021, cloud-based email accounts of over 121 Cambridge representatives were taken over by unauthorized third parties, resulting in the PII exposure of at least 2,177 Cambridge clients.