The Securities and Exchange Commission on Monday ordered eight financial firms to pay a total of $750,000 in fines for deficient cybersecurity protections that led to the exposure of client and customer information at various times over the last four years.
The SEC enforcement action involved five Cetera Financial Group operations -- Cetera Advisor Networks, Cetera Investment Services, Cetera Financial Specialists, Cetera Advisors and Cetera Investment Advisers -- as well as Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. and KMS Financial Services Inc., an affiliate of Ladenburg Thalmann Financial Services.
The SEC charged the firms with violating the Safeguards Rule, which requires investment advisory firms and brokerages to adopt written policies and procedures that are designed to protect customer records and information against cybersecurity attacks or other unauthorized access that could cause substantial investor harm or inconvenience.
Cetera will pay a $300,000 fine, while Cambridge will pay $250,000 and KMS will pay $200,000. The firms agreed to cease and desist from future violations and pay the penalties without admitting or denying the SEC's findings.
"Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information," Kristina Littman, chief of the SEC Enforcement Division's Cyber Unit, said in a statement. "It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."
Cambridge did not comment specifically on the SEC enforcement action, but a spokesperson defended its cybersecurity practices.
“Cambridge has and does maintain a robust information security group and procedures to ensure client’s accounts are fully protected,” said Cambridge spokesperson Jeff Wulf.
Spokespersons for Cetera and KMS did not immediately respond to a request for comment.
The SEC alleged that between November 2017 and June 2020 cloud-based email accounts of more than 60 Cetera personnel were taken over by unauthorized third parties resulting in the exposure of more than 4,388 customers’ personally identifiable information stored in the compromised email accounts, according to the SEC order. None of the accounts had multi-factor authentication, even though Cetera policies required that security step beginning in 2018. The account takeovers did not result in unauthorized trades or transfers from the customer accounts.
The SEC also charged Cetera Advisors and Cetera Investment Advisers with sending notifications to clients that misled them about how soon they were told of the breaches after they occurred.
In its order against Cambridge, the SEC alleged that from January 2018 through July 1, 2021, cloud-based email accounts of more than 121 Cambridge independent contractor representatives were taken over by outsiders, resulting in the exposure of at least 2,177 customers’ personally identifiable information and potential exposure for another 3,800 customers. Even though Cambridge discovered the first takeover in January 2018, it didn’t require multi-factor authentication until 2021.
In its order against KMS Financial Services, the SEC alleged that between September 2018 and December 2019, 15 cloud-based KMS financial adviser email accounts were breached, resulting in the exposure of records and information of approximately 4,900 customers. The firm discovered the first compromised email in November 2018 but did not implement additional cybersecurity measures until August 2020.
"The greed and deception of this Ponzi scheme has resulted in the same way they have throughout history," said Daniel Brubaker, U.S. Postal Inspection Service inspector in charge.
A survey reveals seven in 10 expect it to be a source of income, while most non-retired respondents worry about its continued sustainability.
AI suite and patent for AI-driven financial matchmaking arrive amid growing importance of marketing and tech among advisory firms.
The RIA's addition in Dallas, previously with Raymond James, comes just as the take-private deal between Corient's parent firm in Canada and Mubadala Capital comes to completion.
LPL's head of HNW planning says too many advisors are making a common mistake.
Stan Gregor, Chairman & CEO of Summit Financial Holdings, explores how RIAs can meet growing demand for family office-style services among mass affluent clients through tax-first planning, technology, and collaboration—positioning firms for long-term success
Chris Vizzi, Co-Founder & Partner of South Coast Investment Advisors, LLC, shares how 2025 estate tax changes—$13.99M per person—offer more than tax savings. Learn how to pass on purpose, values, and vision to unite generations and give wealth lasting meaning
