SEC Fines Brokerage Firms for Data Breaches | Email Hacks

SEC Fines Brokerage Firms for Data Breaches

The U.S. Securities and Exchange Commission has levied a collective fine of $750,000 against multiple brokerage firms. This action stems from the exposure of sensitive personal information belonging to thousands of customers following successful hacks of employee email accounts.

Affected Firms

A total of eight entities, operating under three parent companies, have been sanctioned by the SEC. These include firms associated with Cetera (specifically Advisor Networks, Investment Services, Financial Specialists, Advisors, and Investment Advisers), Cambridge Investment Research (and its related Investment Research Advisors), and KMS Financial Services.

Cybersecurity Policy Failures

The SEC’s announcement details that these firms were penalized due to deficiencies in their cybersecurity protocols. These shortcomings enabled unauthorized access to cloud-based email accounts, ultimately compromising the personal data of numerous clients.

Cetera's Breach

In the case of Cetera, unauthorized third parties infiltrated the cloud-based email accounts of over 60 employees for a period exceeding three years. This resulted in the exposure of personal information for at least 4,388 clients.

The SEC’s order highlights that these compromised accounts lacked the security measures mandated by Cetera’s own policies. Furthermore, two Cetera entities were accused of issuing breach notifications to clients that contained inaccurate dates, implying a faster response to the incidents than was actually the case.

Cambridge Investment Research Lapses

The SEC’s investigation into Cambridge revealed that the exposure of personal information for at least 2,177 customers was linked to inadequate cybersecurity practices.

Despite discovering the initial email account takeover in January 2018, Cambridge failed to implement firm-wide security enhancements for cloud-based email accounts until 2021. This delay led to continued exposure, and potential exposure, of additional customer data.

KMS Financial Services' Shortcomings

Similar deficiencies were found at KMS Financial Services. The SEC’s order indicates that the data of nearly 5,000 customers and clients was exposed due to the company’s delayed adoption of comprehensive written security policies and procedures – not implemented until May 2020.

SEC Enforcement Division Statement

“Investment advisers and broker-dealers are obligated to protect customer information,” stated Kristina Littman, head of the SEC Enforcement Division’s Cyber Unit. “Merely establishing a policy requiring stronger security isn’t sufficient if those requirements aren’t fully implemented, particularly when facing known cyberattacks.”

Settlement Terms

All involved parties have agreed to resolve the charges and refrain from future violations, without admitting or denying the SEC’s findings. As part of the settlements, Cetera will pay a penalty of $300,000, while Cambridge and KMS will pay fines of $250,000 and $200,000, respectively.

Firm Responses

Cambridge Investment Research informed TechCrunch that it does not comment on regulatory matters. However, they affirmed their commitment to maintaining a robust information security group and procedures to safeguard client accounts.

Cetera and KMS have not yet issued a response to the SEC’s actions.

Recent SEC Action on Data Breaches

This recent enforcement action by the SEC follows closely on the heels of a $1 million fine imposed on Pearson, a London-based publishing and education company, for misleading investors regarding a 2018 data breach.