IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Eight US investment firms fined over inadequate cyber security policies

Failures in the companies’ cyber security practices resulted in the leak of thousands of customer and client records

The US Securities and Exchange Commission (SEC) has fined eight investment companies for failures in their cyber security policies and procedures that resulted in the exposure of personal information belonging to thousands of customers and clients.

The companies, which include entities owned by investment groups Cetera, Cambridge, and KMS, have all agreed to settle, according to the SEC, with fines of $300,000, $250,000, and $200,000 respectively.

The commission stated that between November 2017 and June 2020, cloud-based email accounts associated with over 60 Cetera entity personnel were taken over by unauthorised third parties, resulting in the exposure of personally identifying information of at least 4,388 customers and clients.

The SEC found that none of the accounts were protected in a manner consistent with the company’s policies, and that its breach notifications sent to its clients included “misleading language suggesting the notifications were issued much sooner than they actually were after discovery of the incidents”.

The SEC said that between January 2018 and July 2021, cloud-based email accounts of over 121 Cambridge representatives were taken over by unauthorised third parties, resulting in the exposure of information belonging to at least 2,177 Cambridge customers and clients. It added that the company “failed to adopt and implement-firm wide enhanced security measures” for its email accounts until 2021, despite discovering the first email account takeover in January 2018.

Lastly, between September 2018 and December 2019, cloud-based email accounts of 15 KMS financial advisers or their assistants were taken over by unauthorised third parties, with around 4,900 KMS customer and client records being leaked. The SEC stated that KMS “failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020” and did not implement these fully across the company until August 2020, placing additional customer and client records and information at risk.

Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC, were all sanctioned as part of the ruling, as well as Cambridge Investment Research Inc., Cambridge Investment Research Advisors Inc., and KMS Financial Services Inc.

Related Resource

The secure cloud configuration imperative

The central role of cloud security posture management

The secure cloud configuration imperativeFree download

"Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information," said Kristina Littman, chief of the SEC Enforcement Division's Cyber Unit. "It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."

In June, the SEC launched an investigation into the SolarWinds attack, exploring whether some organisations did not disclose they had been impacted by the breach. Additionally, it was investigating the policies belonging to certain companies to see whether they are designed to protect customer information. In the US, securities law requires companies to share material information that could affect their share prices, including cyber breaches.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022
AWS’ Amplify Studio is now generally available 
Development

AWS’ Amplify Studio is now generally available 

22 Apr 2022
TSMC founder brands Intel’s US expansion plans an ‘exercise in futility’
components

TSMC founder brands Intel’s US expansion plans an ‘exercise in futility’

22 Apr 2022

Most Popular

FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Internet providers look to ease cost of living crisis with cheaper broadband
broadband

Internet providers look to ease cost of living crisis with cheaper broadband

29 Jun 2022