SEC fines multiple firms for cybersecurity lapses that exposed client data

SEC fines multiple firms for cybersecurity lapses that exposed client data
The agency fined 8 firms, including Cetera and Cambridge, a total of $750,000 for inadequate policies and procedures to protect customer information.
AUG 30, 2021

The Securities and Exchange Commission on Monday ordered eight financial firms to pay a total of $750,000 in fines for deficient cybersecurity protections that led to the exposure of client and customer information at various times over the last four years.

The SEC enforcement action involved five Cetera Financial Group operations -- Cetera Advisor Networks, Cetera Investment Services, Cetera Financial Specialists, Cetera Advisors and Cetera Investment Advisers -- as well as Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. and KMS Financial Services Inc., an affiliate of  Ladenburg Thalmann Financial Services.

The SEC charged the firms with violating the Safeguards Rule, which requires investment advisory firms and brokerages to adopt written policies and procedures that are designed to protect customer records and information against cybersecurity attacks or other unauthorized access that could cause substantial investor harm or inconvenience.

Cetera will pay a $300,000 fine, while Cambridge will pay $250,000 and KMS will pay $200,000. The firms agreed to cease and desist from future violations and pay the penalties without admitting or denying the SEC's findings.

"Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information," Kristina Littman, chief of the SEC Enforcement Division's Cyber Unit, said in a statement. "It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."

Cambridge did not comment specifically on the SEC enforcement action, but a spokesperson defended its cybersecurity practices.

“Cambridge has and does maintain a robust information security group and procedures to ensure client’s accounts are fully protected,” said Cambridge spokesperson Jeff Wulf.

Spokespersons for Cetera and KMS did not immediately respond to a request for comment.

The SEC alleged that between November 2017 and June 2020 cloud-based email accounts of more than 60 Cetera personnel were taken over by unauthorized third parties resulting in the exposure of more than 4,388 customers’ personally identifiable information stored in the compromised email accounts, according to the SEC order.  None of the accounts had multi-factor authentication, even though Cetera policies required that security step beginning in 2018. The account takeovers did not result in unauthorized trades or transfers from the customer accounts.

The SEC also charged Cetera Advisors and Cetera Investment Advisers with sending notifications to clients that misled them about how soon they were told of the breaches after they occurred.

In its order against Cambridge, the SEC alleged that from January 2018 through July 1, 2021, cloud-based email accounts of more than 121 Cambridge independent contractor representatives were taken over by outsiders, resulting in the exposure of at least 2,177 customers’ personally identifiable information and potential exposure for another 3,800 customers. Even though Cambridge discovered the first takeover in January 2018, it didn’t require multi-factor authentication until 2021.

In its order against KMS Financial Services, the SEC alleged that between September 2018 and December 2019, 15 cloud-based KMS financial adviser email accounts were breached, resulting in the exposure of records and information of approximately 4,900 customers. The firm discovered the first compromised email in November 2018 but did not implement additional cybersecurity measures until August 2020.

Latest News

Sowell selects Tifin to supercharge client acquisition
Sowell selects Tifin to supercharge client acquisition

Strengthening their years-long connection, the strategic partnership will give the Arkansas-based RIA access to fresh insights to drive asset growth.

Erisa at 50: Retirement leaders reflect on what it got right, and wrong
Erisa at 50: Retirement leaders reflect on what it got right, and wrong

Many workers still don't participate in plans or contribute enough to their accounts, and a former DOL leader says she wishes IRAs were looped into the Employee Retirement Income Security Act.

Does more AI use mean more clients? Think again
Does more AI use mean more clients? Think again

Experts warn that despite AI’s ability to scale, it doesn’t replace the human, emotional relationship with clients.

Going beyond DEI. How to 'Lead Bigger' by leveraging inclusion
Going beyond DEI. How to 'Lead Bigger' by leveraging inclusion

In her new book 'Lead Bigger,' former AT&T executive Ann Chow explains how today's leader can leverage inclusion to grow their business.

Raymond James lands $360M team from LPL
Raymond James lands $360M team from LPL

The latest hires catering to business owners and family offices are joining its independent employee division, Raymond James Advisor Select, in Mississipi.

SPONSORED Leading through innovation – with Tom Ruggie of Destiny Wealth Partners

Uncover the key initiatives behind Destiny Wealth Partners’ success and how it became one of the fastest growing fee-only RIAs.

SPONSORED Explore four opportunities to elevate advisor-client relationships

Morningstar’s Joe Agostinelli highlights strategies for advisors to deepen client engagement and drive success