Eight brokerage firms were recently handed significant but not hefty fines for delinquency in email security which led to the compromise of personally identifiable information of thousands of customers. Customer PII of all of the eight firms was compromised through email account takeovers. None of the firms acknowledged any wrongdoing but agreed to pay the piper.
Non-fulfillment of cybersecurity policies and procedures has landed eight brokerage firms a cumulative fine of $750,000. These firms, owned by three companies, failed to comply with appropriate security standards that led to email takeover of hundreds of employees, which in turn resulted in a much larger data breach.
According to the Securities and Exchange Commission (SECOpens a new window ), the personally identifiable information (PII) of at least 11,465 customers was compromised.
The eight firms are: Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera Entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS).
Specifically, these firms violated Rule 30(a) of Regulation S-POpens a new window (Safeguards Rule) that mandates protection of confidential customer or client information.
Cetera Advisors LLC and Cetera Investment Advisers LLC in particular violated Section 206(4) of the Advisers ActOpens a new window and Rule 206(4)-7Opens a new window . These two sections relate to fraudulent, deceptive, or manipulative practices. Evidence, Cetera Advisors and Cetera Investment Advisers mislead customers through incorrect notifications.
Kristina LittmanOpens a new window , the chief of Cyber Unit at the SEC’s Enforcement Division saidOpens a new window , “Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information. It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.â€
See Also: Email Bombers for Hire: What You Should Know About Distributed Spam Attacks
|
Company/Firm |
Email Accounts Breached | No. of Customers Whose PII was Compromised | Time Period | Fine |
| Cetera EntitiesOpens a new window | 60 | At least 4,388 | November 2017 and June 2020 |
$300,000 |
| 121 | At least 2,177 | January 2018 and July 2021 | $250,000 | |
| KMS Financial ServicesOpens a new window | 15 | ~4,900 | September 2018 and December 2019 | $200,000 |
Please note:
- Cetera Entities include Advisor Networks, Financial Specialists, Advisors, Investment Services, and Investment Advisers
- Cambridge Investment Research includes Investment Research and Investment Research Advisors
The SEC also noted that the first email of a Cambridge Investment Research representative that was taken over was discovered as early as January 2018. Yet, Cambridge did not adopt relevant security measures until 2021.
KMS Financial Services failed to upgrade security until May 2020. Cetera was fined the highest amount because the breach notifications it sent to customers were misleading, a violation of Rule 206(4)-7. The company implied that “notifications were issued much sooner than they actually were after discovery of the incidents.â€
The SEC didn’t say if any of the compromised data was used to carry out unauthorized trade. None of the firms admitted or denied SEC’s allegations but all agreed to the penalty and promised not to violate the said charges in future.
Let us know if you enjoyed reading this story on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!