[BreachExchange] SEC fines multiple firms for cybersecurity lapses that exposed client data

[Sophia Kingsbury]

https://www.investmentnews.com/sec-fines-multiple-firms-for-cybersecurity-lapses-that-exposed-client-data-210900

The Securities and Exchange Commission on Monday ordered eight financial
firms to pay a total of $750,000 in fines for deficient cybersecurity
protections that led to the exposure of client and customer information at
various times over the last four years.

The SEC enforcement action involved five Cetera Financial Group operations
— Cetera Advisor Networks, Cetera Investment Services, Cetera Financial
Specialists, Cetera Advisors and Cetera Investment Advisers — as well as
Cambridge Investment Research Inc. and Cambridge Investment Research
Advisors Inc. and KMS Financial Services Inc., an affiliate of  Ladenburg
Thalmann Financial Services.

The SEC charged the firms with violating the Safeguards Rule, which
requires investment advisory firms and brokerages to adopt written policies
and procedures that are designed to protect customer records and
information against cybersecurity attacks or other unauthorized access that
could cause substantial investor harm or inconvenience.

Cetera will pay a $300,000 fine, while Cambridge will pay $250,000 and KMS
will pay $200,000. The firms agreed to cease and desist from future
violations and pay the penalties without admitting or denying the SEC’s
findings.

“Investment advisers and broker-dealers must fulfill their obligations
concerning the protection of customer information,” Kristina Littman, chief
of the SEC Enforcement Division’s Cyber Unit, said in a statement. “It is
not enough to write a policy requiring enhanced security measures if those
requirements are not implemented or are only partially implemented,
especially in the face of known attacks.”

Cambridge did not comment specifically on the SEC enforcement action, but a
spokesperson defended its cybersecurity practices.

“Cambridge has and does maintain a robust information security group and
procedures to ensure client’s accounts are fully protected,” said Cambridge
spokesperson Jeff Wulf.

Spokespersons for Cetera and KMS did not immediately respond to a request
for comment.

The SEC alleged that between November 2017 and June 2020 cloud-based email
accounts of more than 60 Cetera personnel were taken over by unauthorized
third parties resulting in the exposure of more than 4,388 customers’
personally identifiable information stored in the compromised email
accounts, according to the SEC order.  None of the accounts had
multi-factor authentication, even though Cetera policies required that
security step beginning in 2018. The account takeovers did not result in
unauthorized trades or transfers from the customer accounts.

The SEC also charged Cetera Advisors and Cetera Investment Advisers with
sending notifications to clients that misled them about how soon they were
told of the breaches after they occurred.

In its order against Cambridge, the SEC alleged that from January 2018
through July 1, 2021, cloud-based email accounts of more than 121 Cambridge
independent contractor representatives were taken over by outsiders,
resulting in the exposure of at least 2,177 customers’ personally
identifiable information and potential exposure for another 3,800
customers. Even though Cambridge discovered the first takeover in January
2018, it didn’t require multi-factor authentication until 2021.

In its order against KMS Financial Services, the SEC alleged that between
September 2018 and December 2019, 15 cloud-based KMS financial adviser
email accounts were breached, resulting in the exposure of records and
information of approximately 4,900 customers. The firm discovered the first
compromised email in November 2018 but did not implement additional
cybersecurity measures until August 2020.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210831/aa694c46/attachment.html>