The US Securities and Exchange Commission said Monday that it has imposed a total fine of $ 750,000 on three broker-dealer / investment advisory groups for cybersecurity policy errors that resulted in email account takeovers revealing personal information about thousands of clients and clients.
Eight companies representing three groups were prosecuted by the SEC for violations of federal securities laws and sanctioned:
– El Segundo, California-based Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC and Cetera Investment Advisers, together with the Cetera units.
– Fairfield, Iowa-based Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc., together Cambridge.
All three groups were registered as broker-dealers / investment advisory firms, or both.
The SEC stated in its statement that cloud-based e-mail accounts for the staff of more than 60 Cetera devices were taken over by unauthorized third parties between November 2017 and June 2020, resulting in personally identifiable information about at least 4,388 customers and clients exposure.
The Agency said that notices of crime sent by Cetera Advisors and Cetera Investment Advisors included misleading information indicating that the notices were issued much earlier than they actually were after the events were discovered.
The SEC has recently cracked down on companies it believes have violated securities laws by making insufficient cybersecurity disclosures, and it is expected to continue to carry out enforcement activities.
Cetera will pay a $ 300.00 penalty, the SEC said.
The SEC's order against Cambridge said between January 2018 and July 2021 cloud-based email accounts for more than 121 representatives from Cambridge were taken over by unauthorized third parties, resulting in the release of personal ID numbers of at least 2177 Cambridge customers. and clients.
Although Cambridge discovered the first e-mail takeover in January 2018, it failed to implement and implement enterprise-wide enhanced security measures for its representatives' cloud-based e-mail accounts until 2021, resulting in exposure and potential exposure of additional customer and client registers and information. The SEC said Cambridge will pay a $ 250,000 fine.
In the KMS case, the SEC said that cloud-based email accounts for 15 of its advisors or assistants were taken over by unauthorized third parties between September 2018 and December 2019, resulting in the personally identifiable information exposure of approximately 4,900 customers and clients.
It stated that KMS also did not adopt policies and procedures requiring comprehensive safeguards until May 2020 and did not fully implement those additional safeguards until August 2020, putting additional data at risk. The SEC said the KMS will pay a $ 200,000 penalty.
A spokesman for Cambridge said in a statement that it "does not comment on regulatory issues. Cambridge has and still has a robust information security team and routines to ensure that the customer's accounts are fully protected. "Contacts at the other companies could not be found.