SEC fines multiple firms for cybersecurity lapses that exposed client data

The Securities and Exchange Commission on Monday ordered eight financial firms to pay a total of $750,000 in fines for deficient cybersecurity protections that led to the exposure of client and customer information at various times over the last four years.

The SEC enforcement action involved five Cetera Financial Group operations -- Cetera Advisor Networks, Cetera Investment Services, Cetera Financial Specialists, Cetera Advisors and Cetera Investment Advisers -- as well as Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. and KMS Financial Services Inc., an affiliate of  Ladenburg Thalmann Financial Services.

The SEC charged the firms with violating the Safeguards Rule, which requires investment advisory firms and brokerages to adopt written policies and procedures that are designed to protect customer records and information against cybersecurity attacks or other unauthorized access that could cause substantial investor harm or inconvenience.

Cetera will pay a $300,000 fine, while Cambridge will pay $250,000 and KMS will pay $200,000. The firms agreed to cease and desist from future violations and pay the penalties without admitting or denying the SEC's findings.

"Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information," Kristina Littman, chief of the SEC Enforcement Division's Cyber Unit, said in a statement. "It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."

Cambridge did not comment specifically on the SEC enforcement action, but a spokesperson defended its cybersecurity practices.

“Cambridge has and does maintain a robust information security group and procedures to ensure client’s accounts are fully protected,” said Cambridge spokesperson Jeff Wulf.

Spokespersons for Cetera and KMS did not immediately respond to a request for comment.

The SEC alleged that between November 2017 and June 2020 cloud-based email accounts of more than 60 Cetera personnel were taken over by unauthorized third parties resulting in the exposure of more than 4,388 customers’ personally identifiable information stored in the compromised email accounts, according to the SEC order.  None of the accounts had multi-factor authentication, even though Cetera policies required that security step beginning in 2018. The account takeovers did not result in unauthorized trades or transfers from the customer accounts.

The SEC also charged Cetera Advisors and Cetera Investment Advisers with sending notifications to clients that misled them about how soon they were told of the breaches after they occurred.

In its order against Cambridge, the SEC alleged that from January 2018 through July 1, 2021, cloud-based email accounts of more than 121 Cambridge independent contractor representatives were taken over by outsiders, resulting in the exposure of at least 2,177 customers’ personally identifiable information and potential exposure for another 3,800 customers. Even though Cambridge discovered the first takeover in January 2018, it didn’t require multi-factor authentication until 2021.

In its order against KMS Financial Services, the SEC alleged that between September 2018 and December 2019, 15 cloud-based KMS financial adviser email accounts were breached, resulting in the exposure of records and information of approximately 4,900 customers. The firm discovered the first compromised email in November 2018 but did not implement additional cybersecurity measures until August 2020.