The Securities and Exchange Commission(SEC) fined six trading companies a total of $750,000 after hackers gained access to staff email accounts, revealing sensitive personally-identifying information of thousands of customers and clients.
The SEC has sanctioned eight entities affiliated with three companies. They include Cetera (Advisor Networks, Investment Services, Financial Specialists, Advisors, and Investment Advisers), Cambridge Investment Research (Investment Research and Investment Research Advisors), and KMS Financial Services.
According to a news release, the SEC sanctioned the companies for failing to follow cyber security standards and regulations, allowing hackers to gain unauthorized access to cloud-based email accounts, exposing the personal information of thousands of customers and clients.
In the case of Cetera, the SEC stated that unauthorized third parties had access to more than 60 workers’ cloud-based email accounts for more than three years, exposing at least 4,388 clients’ personal information.
The SEC also charged two Cetera firms with mailing breach notifications to clients that contained “misleading wording suggesting that the notifications were sent considerably sooner than they actually were following the discovery of the breaches,” according to the ruling.
The personal information of at least 2,177 Cambridge customers and clients was exposed as a result of the firm’s inadequate cyber security practices, according to the SEC’s ruling.
“Despite finding the initial email account takeover in January 2018, Cambridge did not adopt and implement firm-wide additional security measures for its reps’ cloud-based email accounts until 2021,” according to the SEC. “This resulted in the vulnerability and possible exposure of more customer and client data and information.”
The SEC’s case against KMS is similar; according to the order, the company’s failure to adopt established policies and processes demanding extra firm-wide security measures until May 2020 resulted in the data of over 5,000 customers and clients being exposed.
“Investment advisors and broker-dealers must satisfy their obligations to secure client information,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit. “Writing a policy demanding stronger security measures is insufficient if those requirements are not executed or are only partially implemented, especially in the face of known assaults.”
Without admitting or rejecting the SEC’s conclusions, the parties agreed to settle the allegations and refrain from violating the accused provisions in the future. Cetera will pay a $300,000 penalty as part of the settlements, while Cambridge and KMS will pay fines of $250,000 and $200,000, respectively.
Cambridge informed TechCrunch that it does not comment on regulatory matters. It has and does maintain a sophisticated information security group and procedures to guarantee clients’ accounts are adequately safeguarded. Cetera and KMS have yet to respond.
The SEC’s new action comes just weeks after the Commission ordered Pearson. A publishing and education conglomerate based in London, to pay a $1 million punishment for deceiving investors about a data breach that occurred in 2018.