SEC ANNOUNCES ACTIONS AGAINST BROKER DEALERS AND INVESTMENT ADVISORY FIRMS CHARGING DEFICIENT CYBERSECURITY PROCEDURES

The Securities and Exchange Commission (“SEC”) sanctioned eight firms for failures within cybersecurity policies and procedures that resulted in email account hacks that exposed personal information of customers and clients. The eight firms sanctioned were either registered broker-dealers, investment advisory firms, or both.

Cetera Advisor Networks, LLC, Cetera Investment Services, LLC, Cetera Financial Specialists LLC, Cetera Advisors, LLC and Cetera Investment Advisers, LLC (collectively, “Cetera Entities”) were fined $300,000 for failure to protect personally identifying information consistent with Cetera Entities’ policies. Between November 2017 and June 2020, cloud-based email accounts of Cetera Entities’ personnel were accessed by unauthorized third parties. The unauthorized third parties gained access to personal identifying information for over 4,000 customers and clients. Cetera Entities Cetera Advisors, LLC and Cetera Investment Advisers, LLC were also found to have sent misleading language in their breach notification to clients, indicating notifications were sent to clients quicker than the notifications were truly sent after learning of the incident. The SEC also found that Cetera Entities violated Rule 30(a) of Regulation S-P and that Cetera Advisors, LLC and Cetera Investment Advisers, LLC violated Section 206(4) of the Advisers Act and Rule 206(4)-7.

Cambridge Investment Research, Inc. and Cambridge Investment Research Advisors, Inc. (collectively, “Cambridge”) were fined $250,000 for failure to adopt and implement firm-wide enhanced security measures in a reasonable time after a cyber breach. Between January 2018 and July 2021, cloud-based email accounts for Cambridge personnel were taken over by unauthorized third parties resulting in access to personal identifying information for over 2,000 customers and clients. Cambridge discovered the breach in January 2018, however failed to implement enhanced security measures for all cloud-based email accounts until 2021. This time delay resulted in the exposure and potential exposure of additional customer and client records and information. The SEC found Cambridge violated Rule 30(a) of Regulation S-P.

KMS Financial Services, Inc. (“KMS”) was fined $200,000 for failure to adopt written policies and procedures regarding the protection of customer information. Between September 2018 and December 2019 cloud-based email accounts for KMS financial advisers were accessed by unauthorized third-party vendors, resulting in access to personal identifying information for over 4,900 customers and clients. KMS failed to adopt written policies and procedures enhancing firm-wide security measures until May 2020 and did not implement these measures until August 2020. KMS’ failure to take swift action placed additional customer and client information at risk. The SEC found KMS violated Rule 30(a) of Regulation S-P.

The SEC reinforced the importance of investment advisors and broker-dealers adherence to all rules and regulations regarding cybersecurity and protection of customer information. Kristina Littman, Chief of SEC Enforcement Division’s Cyber Unit, emphasized the importance of not only maintaining written policies, but also implementing these procedures, particularly in the face of known breaches.