After hackers gained access to employee email accounts, the U.S. Securities and Exchange Commission fined several brokerage companies a total $750,000.
The SEC has sanctioned eight entities from three companies, including Cetera (Advisor Networks, Investment Services, Financial Specialists, Advisors, and Investment Advisers), Cambridge Investment Research, Investment Research and Investment Research Advisors, and KMS Financial Services.
The SEC released a press release stating that it sanctioned the firms because of their failures in cybersecurity policies and procedures. This allowed hackers to gain unauthorized cloud-based email accounts and expose the personal information of thousands.
The SEC stated that Cetera's cloud-based email accounts had been accessed by unauthorized third parties for over three years. This exposed at least 4,388 client personal information.
According to the order, none of the accounts had the protections required under Ceteras policies. The SEC also charged two Cetera entities with sending breach notices to clients using misleading language. This suggests that the notifications were sent much earlier than was actually the case after discovering the incidents.
According to the SECs order against Cambridge, the personal data exposure of at most 2,177 Cambridge clients and customers was due to lax cybersecurity practices at Cambridge.
The SEC stated that although Cambridge had discovered the first email account hijack in January 2018, it did not adopt and implement firmwide security measures for cloud-based email accounts. This led to the potential exposure and possible exposure of additional client and customer records.
KMS was also subject to an order. The SECs order stated that almost 5,000 clients and customers were exposed due to KMS's failures in adopting written policies and procedures. Additional security measures will be required for KMS until May 2020.
Kristina Littman from the SEC Enforcement Divisions Cyber Unit stated that investment advisers and broker-dealers need to fulfill their obligations regarding the protection of customer data. If the policy does not include enhanced security measures, it is insufficient to create one. This is especially true when there are known attacks.
All parties reached an agreement to settle the charges and not re-inflict any violations of the charged provisions. They also agreed to not admit or deny the findings of the SEC. Cetera will be subject to a $300,000 penalty, while Cambridge, KMS, and KMS will each pay fines of $250,000, $200,000, and respectively.
TechCrunch was told by Cambridge that although it doesn't comment on regulatory issues, it maintains a comprehensive information security team and procedures to ensure client accounts are completely protected. KMS and Cetera have not yet responded.
The latest SEC action comes only weeks after Pearson, a London-based publisher and education company was fined $1 million for misleading investors about a 2018 data leak at Pearson.