As the Securities and Exchange Commission continues to ramp up its cybersecurity enforcement in the wake of guidance released earlier this year, some heavyweight broker-dealers got slapped on the wrist today for failures in their cybersecurity policies.
The SEC today announced it has sanctioned eight firms in three actions for the failures in their policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm.
The eight firms, which have agreed to settle the charges, are: Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera Entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS). All were Commission-registered as broker-dealers, investment advisory firms, or both.
Without admitting or denying the SEC’s findings, each firm agreed to cease and desist from future violations of the charged provisions, to be censured and to pay a penalty. The Cetera Entities will pay a $300,000 penalty, Cambridge will pay a $250,000 penalty, and KMS will pay a $200,000 penalty.
For comparison, in May the SEC fined GWFS Equities Inc., a subsidiary of Empower Retirement that provides services to employer-sponsored retirement plans, $1.5 million to settle charges for violating federal securities laws governing the filing of Suspicious Activity Reports.
“Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information,” said Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit, in a statement about Monday’s actions. “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
According to the SEC’s order against the Cetera Entities, between November 2017 and June 2020, cloud-based email accounts of over 60 Cetera Entities’ personnel were taken over by unauthorized third parties, resulting in the exposure of personally identifying information (PII) of at least 4,388 customers and clients.
Per the SEC statement, none of the taken-over accounts were protected in a manner consistent with the Cetera Entities’ policies. The SEC’s order also finds that Cetera Advisors LLC and Cetera Investment Advisers LLC sent breach notifications to the firms’ clients that included misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents.
According to the SEC’s order against Cambridge, between January 2018 and July 2021, cloud-based email accounts of over 121 Cambridge representatives were taken over by unauthorized third parties, resulting in the PII exposure of at least 2,177 Cambridge customers and clients.
The SEC’s order finds that although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021, resulting in the exposure and potential exposure of additional customer and client records and information.
According to the SEC’s order against KMS, between September 2018 and December 2019, cloud-based email accounts of 15 KMS financial advisers or their assistants were taken over by unauthorized third parties, resulting in the PII exposure of approximately 4,900 KMS customers and clients.
The SEC’s order further finds that KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020, and did not fully implement those additional security measures firm-wide until August 2020, placing additional customer and client records and information at risk.
The SEC’s orders against each of the firms finds that they violated Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which is designed to protect confidential customer information. The SEC’s order against the Cetera Entities also finds that Cetera Advisors LLC and Cetera Investment Advisers LLC violated Section 206(4) of the Advisers Act and Rule 206(4)-7 in connection with their breach notifications to clients.
Today’s actions are a further signal that the SEC intends to use its enforcement powers to ensure that companies implement robust cybersecurity risk management systems as the frequency of cyberattacks continues to rise.
Back in April, the DOL’s Employee Benefits Security Administration issued cybersecurity guidance covering best practices for maintaining cybersecurity for 401k plan sponsors, plan fiduciaries, recordkeepers and plan participants. It marked the first time the EBSA has issued cybersecurity guidance directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act.
SEE ALSO:
- Unreported Cyberattacks on Retirement Accounts Lead to $1.5M SEC Fine for B-D
- DOL Releases Cybersecurity Guidance for 401k Plans
- Voya Sharpens Workplace Focus with Sale of Indy Financial Planning Channel to Cetera
Veteran financial services industry journalist Brian Anderson joined 401(k) Specialist as Managing Editor in January 2019. He has led editorial content for a variety of well-known properties including Insurance Forums, Life Insurance Selling, National Underwriter Life & Health, and Senior Market Advisor. He has always maintained a focus on providing readers with timely, useful information intended to help them build their business.