The U.S. Securities and Exchange Commission has charged three brokerage firms with cybersecurity failures that resulted in customer information being compromised through email account break-ins.
According to the SEC, five entities associated with Cetera Financial Group, two associated with Cambridge Investment Research, and KMS Financial Services violated the Safeguards Rule, which requires that broker-dealers and investment firms registered with the agency adopt written policies and procedures to protect customer records and information.
As a result of the inadequate cybersecurity, the SEC said, hackers were able to take over email accounts at the firms, resulting in the exposure of the information of at least 11,465 customers.
To settle the charges, Cetera, Cambridge Investment, and KMS agreed to pay penalties of $300,000, $250,000, and $200,000, respectively.
“Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information,” Kristina Littman, chief of the SEC Enforcement Division’s cyber unit, said in a news release. “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
As The Wall Street Journal reports, “The enforcement actions are the latest example of the U.S. Securities and Exchange Commission penalizing brokerages and money managers over hacks.”
In one of the first such cases, the SEC fined Voya Financial Advisors $1 million in 2018 after cyber intruders impersonating VFA contractors gained access to the personal information of thousands of customers.
In this case, the SEC said that between November 2017 and June 2020, unauthorized third parties took over the cloud-based email accounts of more than 60 Cetera employees, exposing the data of at least 4,388 customers.
“None of the taken over accounts were protected in a manner consistent with [Cetera’s] policies,” the commission said, adding that the firm sent breach notifications to clients that “included misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents.”
The intrusions at Cambridge Investment and KMS led to at least 2,177 and 4,900 customers having their personal information exposed, respectively, according to the SEC.