The Securities and Exchange Commission has levied a $325,000 penalty against M Holdings Securities for failing to maintain adequate cybersecurity safeguards across its nationwide network of member firms, marking the latest enforcement action targeting inadequate information security practices in the wealth management industry.
M Holdings, which oversees approximately $4.1 billion in regulatory assets under management through 120 branch offices, violated the SEC's Safeguards Rule and Identity Theft Red Flags Rule over a nearly five-year period, according to an SEC order published Tuesday.
As outlined in the SEC order, an investigation by the SEC found the firm did not implement comprehensive information security policies despite being aware of significant gaps in protection at its member firms.
The Portland, Oregon-based firm, which provides brokerage and investment advisory services through roughly 700 registered representatives, did not establish written information security policies governing its member firm network until September 2020. Even after implementing that policy, "a significant number of M Holdings member firms continued to lack required information security policies and controls through the Relevant Period," according to the SEC.
That shortfall had direct consequences. Between July 2019 and March 2024, unauthorized third parties gained access to email accounts at more than a dozen of M Holdings' 120 member firms, with 17 separate compromises occurring.
Attackers sent phishing and credential-harvesting emails to approximately 8,500 individuals, many of them customers. The worst-case scenario came from one incident that resulted in an unauthorized wire transfer from a customer's account. Customers' records and personally identifiable information were also exposed.
"These email account takeovers occurred at these 13 member firms that either had no written information security policies or had policies that were not reasonably designed because, for example, they did not have information security controls required by the Policy, such as [multi-factor authentication], incident response policies, or annual security awareness training," the order stated.
M Holdings also failed to update its Identity Theft Prevention Program to reflect evolving cybersecurity threats. The firm's program remained largely unchanged from at least 2015 through 2024, despite ongoing security incidents affecting customers.
"Although M Holdings' Program included 'procedures to prevent and mitigate identity theft,' those procedures did not contain or reference steps that member firms should take in response to a cybersecurity incident, such as the email account takeovers experienced by member firms in the Relevant Period," the SEC found.
The firm has since undertaken remedial measures, including hiring a Chief Information Security Officer and Chief Privacy Officer, implementing formal member firm risk assessments, and establishing a third-party vendor risk management team.
Saba pushed; the justices pushed back - and the SEC keeps the gavel.
Two restrictive covenants gone in one ruling - and the drafting flaw is everywhere.
Clients' everyday realities, anxieties, and aspirations naturally change as they go up the wealth scale – and that has profound implications for advisors helping them find what "enough" really means.
The RIA technology giant's new office features a fitness center, café and outdoor community spaces, including a beehive, picnic area and herb garden for over 100 employees.
Liquidity risk overtakes access as the top concern for E&Fs as private markets dominate portfolios.
As $84 trillion prepares to change hands, advisors who treat estate planning as peripheral are quietly building a sieve, not a book.
In volatile markets, the advisors who win aren't the ones with the best calls - they're the ones whose clients stay the course.
