Eight US investment firms fined over inadequate cyber security policies

Failures in the companies’ cyber security practices resulted in the leak of thousands of customer and client records

The US Securities and Exchange Commission (SEC) has fined eight investment companies for failures in their cyber security policies and procedures that resulted in the exposure of personal information belonging to thousands of customers and clients.

The companies, which include entities owned by investment groups Cetera, Cambridge, and KMS, have all agreed to settle, according to the SEC, with fines of $300,000, $250,000, and $200,000 respectively.

The commission stated that between November 2017 and June 2020, cloud-based email accounts associated with over 60 Cetera entity personnel were taken over by unauthorised third parties, resulting in the exposure of personally identifying information of at least 4,388 customers and clients.

The SEC found that none of the accounts were protected in a manner consistent with the company’s policies, and that its breach notifications sent to its clients included “misleading language suggesting the notifications were issued much sooner than they actually were after discovery of the incidents”.

The SEC said that between January 2018 and July 2021, cloud-based email accounts of over 121 Cambridge representatives were taken over by unauthorised third parties, resulting in the exposure of information belonging to at least 2,177 Cambridge customers and clients. It added that the company “failed to adopt and implement-firm wide enhanced security measures” for its email accounts until 2021, despite discovering the first email account takeover in January 2018.

Lastly, between September 2018 and December 2019, cloud-based email accounts of 15 KMS financial advisers or their assistants were taken over by unauthorised third parties, with around 4,900 KMS customer and client records being leaked. The SEC stated that KMS “failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020” and did not implement these fully across the company until August 2020, placing additional customer and client records and information at risk.

Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC, were all sanctioned as part of the ruling, as well as Cambridge Investment Research Inc., Cambridge Investment Research Advisors Inc., and KMS Financial Services Inc.

Related Resource

The secure cloud configuration imperative

The central role of cloud security posture management

The secure cloud configuration imperativeFree download

"Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information," said Kristina Littman, chief of the SEC Enforcement Division's Cyber Unit. "It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."

In June, the SEC launched an investigation into the SolarWinds attack, exploring whether some organisations did not disclose they had been impacted by the breach. Additionally, it was investigating the policies belonging to certain companies to see whether they are designed to protect customer information. In the US, securities law requires companies to share material information that could affect their share prices, including cyber breaches.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

US airlines warn of “catastrophic” crisis days before 5G rollout
5G

US airlines warn of “catastrophic” crisis days before 5G rollout

18 Jan 2022
US delays 5G rollout over aviation safety concerns
5G

US delays 5G rollout over aviation safety concerns

4 Jan 2022
HPE wins contract for Kestrel supercomputer with US renewable energy lab
high-performance computing (HPC)

HPE wins contract for Kestrel supercomputer with US renewable energy lab

2 Dec 2021
Podcast transcript: Can the US take on big tech?
Policy & legislation

Podcast transcript: Can the US take on big tech?

19 Nov 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022