Privacy & Information Security Law Blog

On August 30, 2021, the U.S. Securities and Exchange Commission (“SEC”) announced that it had settled three administrative cases involving a total of eight registered broker-dealers and investment advisers for failures in their cybersecurity policies and procedures. These failures led to email account takeovers that exposed personal information of thousands of customers at each firm. The cases are In the Matter of Cetera Advisor Networks LLC, Release No. 34-92800; In the Matter of Cambridge Investment Research, Inc., Release No. 34-92806; and In the Matter of KMS Financial Services, Inc., Release No. 34-92807, August 30, 2021.

According to the SEC’s order against multiple Cetera entities, between November 2017 and June 2020, unauthorized third parties gained access to the cloud-based email accounts of 60 Cetera employees, exposing the personally identifiable information of over 4,300 customers and clients. Each of the Cetera entities was registered with the SEC as an investment adviser or broker-dealer. According to the SEC’s order, none of the compromised accounts were protected in a manner consistent with the Cetera entities’ written cybersecurity policies. The SEC also alleged that breach notifications sent to Cetera clients included misleading language.

The SEC’s order against Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. found that between January 2018 and July 2021, unauthorized third parties accessed the cloud-based email accounts of over 120 Cambridge representatives, leading to the exposure of personally identifiable information of over 2,100 clients. Each of the Cambridge entities was registered with the SEC as an investment adviser or broker-dealer. The order also found that despite knowing of the breach in January 2018, the Cambridge entities did not take corrective action to improve security for cloud-based email accounts until 2021, potentially resulting in additional exposure to its clients and customers.

According to the SEC order against KMS Financial Services Inc., between September 2018 and December 2019, unauthorized third parties gained access to the cloud-based email accounts of 15 KMS financial advisors or their assistants, resulting in the exposure of personally identifiable information for approximately 4,900 KMS clients and customers. KMS was dually registered as a broker-dealer and investment adviser. Like Cambridge, according to the SEC, KMS also failed to adopt written policies and procedures implementing additional security measures until August 2020, possibly resulting in additional exposure to its clients and customers.

The SEC found that each of the firms violated Rule 30(a) of Regulation S-P, also known as the Safeguards Rule. Rule 30(a) requires registered broker-dealers, investment companies and registered investment advisers to adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information. In light of the misleading nature of its breach notifications, the SEC also charged the Cetera entities with violating the antifraud provisions and compliance policy rules of the Investment Advisers Act. According to the SEC’s press release, “Without admitting or denying the SEC’s findings, each firm agreed to cease and desist from future violations of the charged provisions.” Each of the firms also agreed to be censured and pay civil monetary penalties. The Cetera entities will pay a $300,000 penalty, the Cambridge entities will pay a $250,000 penalty, and KMS will pay a $200,000 penalty.

This series of cases is the latest in a string of recent SEC enforcement cases (which includes the Pearson plc penalty) involving deficient cybersecurity controls and procedures. SEC Chair Gary Gensler has signaled in recent speeches and congressional testimony that cybersecurity will be a priority of the agency during his tenure. Commenting on the case, Kristina Littman, chief of the SEC Division of Enforcement's Cyber Unit, remarked, “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”