Eight US investment firms fined over inadequate cyber security policies

The US Securities and Exchange Commission (SEC) has fined eight investment companies for failures in their cyber security policies and procedures that resulted in the exposure of personal information belonging to thousands of customers and clients.

The companies, which include entities owned by investment groups Cetera, Cambridge, and KMS, have all agreed to settle, according to the SEC, with fines of $300,000, $250,000, and $200,000 respectively.

The commission stated that between November 2017 and June 2020, cloud-based email accounts associated with over 60 Cetera entity personnel were taken over by unauthorised third parties, resulting in the exposure of personally identifying information of at least 4,388 customers and clients.

The SEC found that none of the accounts were protected in a manner consistent with the company’s policies, and that its breach notifications sent to its clients included “misleading language suggesting the notifications were issued much sooner than they actually were after discovery of the incidents”.

The SEC said that between January 2018 and July 2021, cloud-based email accounts of over 121 Cambridge representatives were taken over by unauthorised third parties, resulting in the exposure of information belonging to at least 2,177 Cambridge customers and clients. It added that the company “failed to adopt and implement-firm wide enhanced security measures” for its email accounts until 2021, despite discovering the first email account takeover in January 2018.

Lastly, between September 2018 and December 2019, cloud-based email accounts of 15 KMS financial advisers or their assistants were taken over by unauthorised third parties, with around 4,900 KMS customer and client records being leaked. The SEC stated that KMS “failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020” and did not implement these fully across the company until August 2020, placing additional customer and client records and information at risk.

Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC, were all sanctioned as part of the ruling, as well as Cambridge Investment Research Inc., Cambridge Investment Research Advisors Inc., and KMS Financial Services Inc.

“Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit. “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

In June, the SEC launched an investigation into the SolarWinds attack, exploring whether some organisations did not disclose they had been impacted by the breach. Additionally, it was investigating the policies belonging to certain companies to see whether they are designed to protect customer information. In the US, securities law requires companies to share material information that could affect their share prices, including cyber breaches.