The Securities and Exchange Commission on Monday ordered eight financial firms to pay a total of $750,000 in fines for deficient cybersecurity protections that led to the exposure of client and customer information at various times over the last four years.
The SEC enforcement action involved five Cetera Financial Group operations -- Cetera Advisor Networks, Cetera Investment Services, Cetera Financial Specialists, Cetera Advisors and Cetera Investment Advisers -- as well as Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. and KMS Financial Services Inc., an affiliate of Ladenburg Thalmann Financial Services.
The SEC charged the firms with violating the Safeguards Rule, which requires investment advisory firms and brokerages to adopt written policies and procedures that are designed to protect customer records and information against cybersecurity attacks or other unauthorized access that could cause substantial investor harm or inconvenience.
Cetera will pay a $300,000 fine, while Cambridge will pay $250,000 and KMS will pay $200,000. The firms agreed to cease and desist from future violations and pay the penalties without admitting or denying the SEC's findings.
"Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information," Kristina Littman, chief of the SEC Enforcement Division's Cyber Unit, said in a statement. "It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."
Cambridge did not comment specifically on the SEC enforcement action, but a spokesperson defended its cybersecurity practices.
“Cambridge has and does maintain a robust information security group and procedures to ensure client’s accounts are fully protected,” said Cambridge spokesperson Jeff Wulf.
Spokespersons for Cetera and KMS did not immediately respond to a request for comment.
The SEC alleged that between November 2017 and June 2020 cloud-based email accounts of more than 60 Cetera personnel were taken over by unauthorized third parties resulting in the exposure of more than 4,388 customers’ personally identifiable information stored in the compromised email accounts, according to the SEC order. None of the accounts had multi-factor authentication, even though Cetera policies required that security step beginning in 2018. The account takeovers did not result in unauthorized trades or transfers from the customer accounts.
The SEC also charged Cetera Advisors and Cetera Investment Advisers with sending notifications to clients that misled them about how soon they were told of the breaches after they occurred.
In its order against Cambridge, the SEC alleged that from January 2018 through July 1, 2021, cloud-based email accounts of more than 121 Cambridge independent contractor representatives were taken over by outsiders, resulting in the exposure of at least 2,177 customers’ personally identifiable information and potential exposure for another 3,800 customers. Even though Cambridge discovered the first takeover in January 2018, it didn’t require multi-factor authentication until 2021.
In its order against KMS Financial Services, the SEC alleged that between September 2018 and December 2019, 15 cloud-based KMS financial adviser email accounts were breached, resulting in the exposure of records and information of approximately 4,900 customers. The firm discovered the first compromised email in November 2018 but did not implement additional cybersecurity measures until August 2020.
A $141M judgment and a federal asset freeze collide over one shrinking pool
The firm's CFO and EVP of Wealth Management Solutions are the latest executives to exit the broker-dealer.
Clients are saying they would consider switching advisors if another professional offered estate planning services, according to a new Trust & Will survey.
CEO Laurel Taylor says the fintech's composable AI stack helps workers optimize dollars across Trump Accounts, 529s, 401(k)s, and other employee benefits.
The bank has swiped three private banking veterans from BNY as the city climbs the ranks of America's fastest-growing wealth hubs.
Dan Biagini of American Equity says the steady decline of pensions, longer lifespans and a reset in interest rates are rewriting how advisors build retirement income
Direct indexing is on pace to outgrow ETFs and mutual funds. Northern Trust's Ken Lassner explains why the advisors who get it wish they had started sooner.