U.S. Securities and Exchange Commission (SEC) regulators sanctioned eight entities associated with three financial advisory firms for failing to protect the personally identifying information (PII) of thousands of their customers whose email accounts were hacked.
The SEC separately charged five entities tied to Cetera Entities, two associated with Cambridge Investment Research and KMS Financial Services with insufficiently establishing and applying cybersecurity policies and procedures for cloud-based email accounts belonging to their customers and clients.
All three firms, which were SEC registered as broker dealers, investment advisory firms or both, were charged with violating what’s known as the Safeguards Rule that requires broker-dealers and investment firms to adopt written policies and procedures to protect customer records and information. Taken together, some 11,465 PII belonging to customers and clients of Cetera, Cambridge and KMS were compromised, the SEC said.
Each firm agreed to settle the SEC’s charges without admitting or denying the findings, to cease and desist from future violations of the charged provisions, to accept censure and pay a penalty. Cetera will pay $300,000, Cambridge $250,000 and KMS $200,000 in fines, the SEC said.
MSSPs: A Warning Sign for Cybersecurity Policies and Procedures
Why should MSSPs take note of the SEC’s actions in these cases? The SEC's enforcement suggests that service providers engaged in the financial sector may need to remind clients to revisit and button up their cybersecurity policies and procedures to pass agency oversight.
Further, the SEC actions may offer clues that the regulatory agency intends to go after member organizations that skirt cybersecurity provisions and best practices, particularly as outlined by the Department of Homeland Security (DHS) and its sub-agency the Cybersecurity and Infrastructure Security Agency (CISA), the nation’s cyber central. Three years ago, SEC regulators charged Voya Financial Advisors with violating an identity theft rule requiring companies to enact measures to prevent identity theft, the Wall Street Journal reported.
"Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information," said Kristina Littman, Chief of the SEC Enforcement Division's Cyber Unit. "It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."
Cloud Email Account Takeovers
According to the SEC's order against Cetera, between November 2017 and June 2020, hackers took control of cloud-based email accounts belonging to 60 Cetera personnel, exposing the PII of roughly 4,388 customers and clients. None of the hacked accounts were protected in a manner consistent with the Cetera’s' policies.
According to the SEC's order against Cambridge, between January 2018 and July 2021, hackers took control of cloud-based email accounts belonging to 121 Cambridge representatives, exposing the PII of some 2,177 Cambridge customers and clients. Although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement enhanced security measures for cloud-based email accounts of its representatives until 2021.
According to the SEC's order against KMS, between September 2018 and December 2019, hackers took control of cloud-based email accounts belonging to 15 KMS financial advisers or their assistants, exposing the PII of about 4,900 KMS customers and clients. KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020 and did not implement them until August 2020.