SEC orders Portland-based hybrid firm to pay $325k over cybersecurity lapses

SEC orders Portland-based hybrid firm to pay $325k over cybersecurity lapses
M Holdings' failure to maintain written policies led to a third-party breach that compromised multiple email accounts and impacted 8.500 individuals, according to the regulator.
NOV 25, 2025

The Securities and Exchange Commission has levied a $325,000 penalty against M Holdings Securities for failing to maintain adequate cybersecurity safeguards across its nationwide network of member firms, marking the latest enforcement action targeting inadequate information security practices in the wealth management industry.

M Holdings, which oversees approximately $4.1 billion in regulatory assets under management through 120 branch offices, violated the SEC's Safeguards Rule and Identity Theft Red Flags Rule over a nearly five-year period, according to an SEC order published Tuesday.

As outlined in the SEC order, an investigation by the SEC found the firm did not implement comprehensive information security policies despite being aware of significant gaps in protection at its member firms.

The Portland, Oregon-based firm, which provides brokerage and investment advisory services through roughly 700 registered representatives, did not establish written information security policies governing its member firm network until September 2020. Even after implementing that policy, "a significant number of M Holdings member firms continued to lack required information security policies and controls through the Relevant Period," according to the SEC.

That shortfall had direct consequences. Between July 2019 and March 2024, unauthorized third parties gained access to email accounts at more than a dozen of M Holdings' 120 member firms, with 17 separate compromises occurring.

Attackers sent phishing and credential-harvesting emails to approximately 8,500 individuals, many of them customers. The worst-case scenario came from one incident that resulted in an unauthorized wire transfer from a customer's account. Customers' records and personally identifiable information were also exposed.

"These email account takeovers occurred at these 13 member firms that either had no written information security policies or had policies that were not reasonably designed because, for example, they did not have information security controls required by the Policy, such as [multi-factor authentication], incident response policies, or annual security awareness training," the order stated.

M Holdings also failed to update its Identity Theft Prevention Program to reflect evolving cybersecurity threats. The firm's program remained largely unchanged from at least 2015 through 2024, despite ongoing security incidents affecting customers.

"Although M Holdings' Program included 'procedures to prevent and mitigate identity theft,' those procedures did not contain or reference steps that member firms should take in response to a cybersecurity incident, such as the email account takeovers experienced by member firms in the Relevant Period," the SEC found.

The firm has since undertaken remedial measures, including hiring a Chief Information Security Officer and Chief Privacy Officer, implementing formal member firm risk assessments, and establishing a third-party vendor risk management team.

Latest News

Advisor moves: FiNet practice Merrit Point tucks in $1B Truist team in Florida debut
Advisor moves: FiNet practice Merrit Point tucks in $1B Truist team in Florida debut

Elsewhere, a Commonwealth team in Massachusetts converts to Cetera, while Janney draws four former Wells Fargo advisors to its Radnor, Pennsylvania office.

Trader used firm ties to freeze $3.6 million, investors allege
Trader used firm ties to freeze $3.6 million, investors allege

Clients say he copied the boss on his emails - and now they can't touch their cash.

CFTC alleges North Carolina fund manager faked profits, lost $8.6 million
CFTC alleges North Carolina fund manager faked profits, lost $8.6 million

He wired millions to his own accounts and told investors the fund was winning.

OnePoint BFG taps RISR as advisors chase business-owner clients
OnePoint BFG taps RISR as advisors chase business-owner clients

The partnership arrives as most small business owners near retirement age still don't have a formal succession plan in place.

Trust & Will cuts staff amid restructuring, AI disruption
Trust & Will cuts staff amid restructuring, AI disruption

A spokesperson for the estate planning fintech cited AI's reshaping of the industry as Trust & Will restructures its business.

SPONSORED Who builds the income when the pension disappears?

Dan Biagini of American Equity says the steady decline of pensions, longer lifespans and a reset in interest rates are rewriting how advisors build retirement income

SPONSORED Why direct indexing stopped being optional

Direct indexing is on pace to outgrow ETFs and mutual funds. Northern Trust's Ken Lassner explains why the advisors who get it wish they had started sooner.