The Securities and Exchange Commission has levied a $325,000 penalty against M Holdings Securities for failing to maintain adequate cybersecurity safeguards across its nationwide network of member firms, marking the latest enforcement action targeting inadequate information security practices in the wealth management industry.
M Holdings, which oversees approximately $4.1 billion in regulatory assets under management through 120 branch offices, violated the SEC's Safeguards Rule and Identity Theft Red Flags Rule over a nearly five-year period, according to an SEC order published Tuesday.
As outlined in the SEC order, an investigation by the SEC found the firm did not implement comprehensive information security policies despite being aware of significant gaps in protection at its member firms.
The Portland, Oregon-based firm, which provides brokerage and investment advisory services through roughly 700 registered representatives, did not establish written information security policies governing its member firm network until September 2020. Even after implementing that policy, "a significant number of M Holdings member firms continued to lack required information security policies and controls through the Relevant Period," according to the SEC.
That shortfall had direct consequences. Between July 2019 and March 2024, unauthorized third parties gained access to email accounts at more than a dozen of M Holdings' 120 member firms, with 17 separate compromises occurring.
Attackers sent phishing and credential-harvesting emails to approximately 8,500 individuals, many of them customers. The worst-case scenario came from one incident that resulted in an unauthorized wire transfer from a customer's account. Customers' records and personally identifiable information were also exposed.
"These email account takeovers occurred at these 13 member firms that either had no written information security policies or had policies that were not reasonably designed because, for example, they did not have information security controls required by the Policy, such as [multi-factor authentication], incident response policies, or annual security awareness training," the order stated.
M Holdings also failed to update its Identity Theft Prevention Program to reflect evolving cybersecurity threats. The firm's program remained largely unchanged from at least 2015 through 2024, despite ongoing security incidents affecting customers.
"Although M Holdings' Program included 'procedures to prevent and mitigate identity theft,' those procedures did not contain or reference steps that member firms should take in response to a cybersecurity incident, such as the email account takeovers experienced by member firms in the Relevant Period," the SEC found.
The firm has since undertaken remedial measures, including hiring a Chief Information Security Officer and Chief Privacy Officer, implementing formal member firm risk assessments, and establishing a third-party vendor risk management team.
The "Crypto Mom" departure would leave the SEC commission with just two members and no Democratic commissioners on the panel.
IFP Securities’ owner, Bill Hamm, has a long-term plan for the firm and its 279 financial advisors.
Meanwhile, a Osaic and Envestnet ink a new adaptive wealthtech partnership to better support the firm's 10,000-plus advisors, and RIA-focused VastAdvisor unveils native integrations with leading CRMs.
A former Alabama investment advisor and ex-Kestra rep has been permanently barred and penalized after clients he promised to protect got caught in a $2.6 million fraud.
As more active strategies get packaged into the ETF wrapper, advisors and investors have to look beyond expense ratios as the benchmark for value.
Wellington explores how multi strategy hedge funds may enhance diversification
As technical expertise becomes increasingly commoditized, advisors who can integrate strategy, relationships, and specialized expertise into a cohesive client experience will define the next era of wealth management
