Close Close
ThinkAdvisor

Regulation and Compliance > Cybersecurity

SEC Fines Cetera, Cambridge and KMS $750K Over Email Hacks

X
Your article was successfully shared with the contacts you provided.

What You Need to Know

  • Cetera, Cambridge and KMS Financial were sanctioned.
  • Failures in their cybersecurity policies and procedures resulted in email account takeovers.
  • Thousands of clients' personal information was exposed.

The Securities and Exchange Commission Monday sanctioned several firms  including Cetera and Cambridge Investment Research  for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm.

The eight firms, which have agreed to settle the charges, are:

  • Cetera Advisor Networks LLC;
  • Cetera Investment Services LLC;
  • Cetera Financial Specialists LLC;
  • Cetera Advisors LLC;
  • Cetera Investment Advisers LLC;
  • Cambridge Investment Research Inc.;
  • Cambridge Investment Research Advisors Inc.; and
  • KMS Financial Services Inc. (which is now part of Advisor Group).

All were registered with the SEC as broker-dealers, investment advisory firms, or both.

The Cetera entities will pay a $300,000 penalty; Cambridge will pay a $250,000 penalty; and KMS will pay a $200,000 penalty.

According to the SEC’s order against the Cetera Entities, between November 2017 and June 2020, cloud-based email accounts of over 60 Cetera entities’ personnel were taken over by unauthorized third parties, resulting in the exposure of personally identifying information of at least 4,388 clients.

None of the taken over accounts were protected in a manner consistent with the Cetera entities’ policies, the SEC said.

Other Details of SEC Order

The SEC’s order also finds that Cetera Advisors and Cetera Investment Advisers “sent breach notifications to the firms’ clients that included misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents.”

According to the SEC’s order against Cambridge, between January 2018 and July 2021, cloud-based email accounts of over 121 Cambridge representatives were taken over by unauthorized third parties, resulting in the PII exposure of at least 2,177 Cambridge clients.

Although Cambridge discovered the first email account takeover in January 2018, the SEC said, “it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021, resulting in the exposure and potential exposure of additional customer and client records and information.”

Cambridge said in a comment shared with ThinkAdvisor Monday that while Cambridge does not comment on regulatory matters, the firm “has and does maintain a robust information security group and procedures to ensure client’s accounts are fully protected.”

According to the SEC’s order against KMS, between September 2018 and December 2019, cloud-based email accounts of 15 KMS financial advisers or their assistants were taken over by unauthorized third parties, resulting in the PII exposure of approximately 4,900 KMS customers and clients.

The SEC’s order further finds that KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020, and did not fully implement those additional security measures firm-wide until August 2020, placing additional client records and information at risk.

“Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit. “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

The SEC’s orders against each of the firms finds that they violated Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which is designed to protect confidential customer information.

Without admitting or denying the SEC’s findings, each firm agreed to cease and desist from future violations of the charged provisions, to be censured and to pay a penalty.