The United States Securities and Exchange Commission (SEC) has charged eight companies with cybersecurity failures that led to the exposure of personal information.
Sanctions against the firms were announced on Monday in the form of three actions against Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera Entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS).
In a statement released August 30, the SEC said: "The Securities and Exchange Commission today sanctioned eight firms in three actions for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm."
All the accused firms were Commission-registered as investment advisory firms, broker dealers, or both. They have all entered into agreements with the SEC to settle the charges laid against them.
An SEC investigation into the cybersecurity of Cetera Entities found that between November 2017 and June 2020, the personally identifying information (PII) of at least 4,388 customers and clients was exposed after the cloud-based email accounts of more than 60 personnel of Cetera Entities were taken over by unauthorized third parties.
Between January 2018 and July 2021, email account takeovers of 121 email accounts belong to Cambridge representatives caused the PII of at least 2,177 Cambridge customers and clients to be exposed. At KMS, between September 2018 and December 2019, 15 financial advisers or their assistants had their email accounts taken over by unauthorized third parties, resulting in the PII exposure of approximately 4,900 KMS customers and clients.
The SEC found that KMS and Cambridge "failed to adopt written policies and procedures requiring additional firm-wide security measures" until August 2020 and 2021, respectively.
"It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks," said Kristina Littman, chief of the SEC Enforcement Division's Cyber Unit.
Cetera Entities will pay a $300,000 penalty, KMS will pay $200,000, and Cambridge will pay $250,000.