Eight firms, including a handful of Cetera's independent broker/dealers, failed to have cybersecurity policies and procedures in place, which left them vulnerable to attacks in which company emails were taken over by outsiders, leading to thousands of clients’ personal information potentially being exposed, according to the Securities and Exchange Commission.
The SEC sanctioned the firms in three separate actions, and all firms agreed to settle the charges. The sanctioned firms include a number of firms under Cetera, including Cetera Advisor Networks, Cetera Investment Services, Cetera Financial Specialists, Cetera Advisors and Cetera Investment Advisers. Another action sanctioned Cambridge Investment Research and Cambridge Investment Research Advisors, while the third detailed the allegations against KMS Financial Services.
Kristina Littman, the chief of the cyber unit of the commission’s Enforcement Division, said in a statement that investment advisors and broker/dealers “must fulfill their obligations” when promising to safeguard what is supposed to be private client information.
“It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks,” Littman said.
According to the SEC action against the Cetera firms, email accounts for more than 60 Cetera employees were “taken over by unauthorized third parties” between November 2017 and June 2020, leading to more than 4,388 customers’ personally identifiable information being exposed. According to the action, the email accounts were taken over “via phishing, credential stuffing or other modes of attack.” None of the accounts had multifactor authorization turned on, according to the commission.
None of the email account takeovers seemed to have led to any unauthorized trades or activity in firms’ brokerage or advisory accounts, according to the SEC. But the SEC argued Cetera’s policies concerning cybersecurity breaches “were not reasonably designed" to protect clients.
“Cetera entities had a significant number of security tools at their disposal that allowed them to implement controls that would mitigate these higher risks,” the action read. “However, Cetera entities failed to use these tools in the manner tailored to their business, exposing their customers’ (personal identifiable information) to unreasonable risks.”
According to the SEC order, the Cetera firms also sent breach notifications to the firms’ clients, but these notifications included “template language” that misleadingly implied that these notifications had been sent sooner than they were after the cybersecurity incidents were uncovered. Cetera did not return a request for comment as of press time.
According to the SEC’s order against the Cambridge firms, the cloud-based email accounts of more than 121 Cambridge reps were also pierced by third parties at some point between January 2018 and July of this year, leading to the personal information of at least 2,177 customers and clients being exposed.
Cambridge first learned of the initial email takeovers at around the time they began but allegedly failed to implement the security measures for its cloud-based accounts that’s spelled out in the firm's written policies (including the use of multifactor authentication) until this year. A Cambridge spokesperson said the firm does not comment on regulatory matters but said it maintains “a robust information security group” and procedures to ensure client accounts are protected.
Similarly, the KMS order detailed how the cloud-based email accounts of 15 KMS financial advisors or their assistants were breached by unauthorized third parties between September 2018 and December 2019; in the meantime, about 4,900 clients and customers had their data exposed. But the firm purportedly did not adopt written policies and procedures that would mandate additional security measures until May of this year, and did not implement them in full throughout the firm until August. According to the commission, this put more client information at potential risk. KMS Financial Services was one of the three b/ds folded into the Securities America banner by Advisor Group after it acquired KMS in its 2019 acquisition of Ladenburg Thalmann. A Securities America spokesperson said the firm does not publicly comment on regulatory matters.
Like Cetera, the SEC found in the cases of Cambridge and KMS that the takeover of email accounts and exposure of client information did not seem to lead to unauthorized trades or fund transfers from customer accounts, according to the dual orders. Though none of the firms involved admitted or denied the findings, the eight firms agreed to a cease-and-desist order, as well as a censure. The Cetera firms will collectively pay $300,000, while Cambridge and KMS will pay $250,000 and $200,000, respectively.