The Securities and Exchange Commission has fined several brokerages a total of $750,000 for exposing the sensitive personal information of thousands of customers and clients after hackers took over employee email accounts.
All of the companies settled the SEC charges, in three separate actions: Cetera Advisor Networks, Cetera Investment Services, Cetera Financial Specialists, Cetera Advisors, and Cetera Investment Advisers; Cambridge Investment Research and Cambridge Investment Research Advisors; and KMS Financial Services.
The firms ran afoul of the SEC’s “Safeguards Rule,” which requires companies to write and adopt procedures for protecting customer records and information.
“Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit. “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
The regulation, written in 2000, stemmed from the Gramm-Leach-Bliley Act. The SEC didn’t issue its first administrative fine under the Safeguards Rule until 2011, and penalties since have ranged from tens of thousands of dollars to $1 million.
While the activities that generated the latest penalties date back as far as 2017, Monday’s announcement of the settlements come as SEC Chairman Gary Gensler is signaling a more aggressive stance toward Wall Street.
Cetera will pay $300,000 for email account takeovers that led to the exposure of personally identifiable information of 4,388 customers and clients. Employees fell victim to phishing, credential stuffing and other attacks, according to the SEC. While Cetera had put in place mandates for multi-factor authentication, none of the hijacked accounts had activated that security tool, and the SEC said some of the Cetera breach notification letters were misleading by describing incidents as “recent” when they were six months old.
Cambridge will pay $250,000 for the exposure of information on 2,177 customers and clients, stemming from attacks similar to those Cetera faced. After learning of the email account takeovers of the affected independent contractors, Cambridge suspended their accounts and reset their passwords but took no additional security steps to better safeguard customers in the future, the SEC said.
The SEC didn’t specify how KMS financial adviser’s accounts were taken over to expose information of 4,900 customers and clients, for which the company will pay $200,000.
After the exposure, some customers reported receiving phishing emails requesting that they wire funds, provide yet more sensitive information or direct them to links that would allow hackers to seize control of their computers.
KMS discovered the first account compromises in 2018 but didn’t adopt and implement improved security steps until 2020.