Background

On August 30, 2021, the Securities and Exchange Commission (SEC) sanctioned eight firms in three actions for cybersecurity failures in their policies and procedures that exposed the personal information of thousands of customers at each firm. These firms included: Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera Entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS).  All were registered with the SEC as broker dealers, investment advisory firms, or both. These failures violated Regulation S-P, also known as the Safeguards Rule.

SEC Prioritizes Cybersecurity

This action occurred in the midst of repeated indications from the SEC that cybersecurity is a top priority for them.  On September 14, 2021, SEC Chair Gary Gensler told a Senate Committee that:

“Today’s investors are looking for consistent, comparable, and decision-useful disclosures around climate risk, human capital, and cybersecurity. I’ve asked staff to develop proposals for the Commission’s consideration on these potential disclosures. These proposals will be informed by economic analysis and will be put out to public comment, so that we can have robust public discussion as to what information matters most to investors in these areas.

Companies and investors alike would benefit from clear rules of the road. I believe the SEC should step in when there’s this level of demand for information relevant to investors’ investment decisions.”

Details of Incidents

Alleged details of the incidents are contained in the three orders:

• Cetera Entities Order. Between November 2017 and June 2020, cloud-based email accounts of over 60 Cetera Entities’ personnel were taken over by unauthorized third parties, exposing personally identifying information (PII) of at least 4,388 customers and clients. None of the accounts were protected in a manner consistent with the Cetera Entities’ policies. The order also finds that Cetera Advisors LLC and Cetera Investment Advisers LLC sent breach notifications that included misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents.
• Cambridge Order. Between January 2018 and July 2021, cloud-based email accounts of over 121 Cambridge representatives were taken over by unauthorized third parties, exposing PII of at least 2,177 customers and clients. The order finds that although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021, resulting in the exposure and potential exposure of additional customer and client records and information.
• KMS Order. Between September 2018 and December 2019, cloud-based email accounts of 15 KMS financial advisers or their assistants were taken over by unauthorized third parties, exposing the PII of approximately 4,900 KMS customers and clients.  The order finds that KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020, and did not fully implement those additional security measures firm-wide until August 2020, placing additional customer and client records and information at risk.

In the SEC’s press release, Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit, stated:

“Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information. It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

SEC Findings

The Commission’s orders find that each firm violated Rule 30(a) of Regulation S-P.  The orders also find that Cetera Advisors LLC and Cetera Investment Advisers LLC violated Section 206(4) of the Advisers Act and Rule 206(4)-7 in connection with their breach notifications to clients. Without admitting or denying the findings, each firm has agreed to cease and desist from future violations of these provisions, to be censured, and to pay a penalty. The Cetera Entities will pay a $300,000 penalty, Cambridge will pay a $250,000 penalty, and KMS will pay a $200,000 penalty.

Lessons Learned

As the SEC continues to prioritize cybersecurity and issue enforcement actions, regulated entities should be taking the time and effort to assess the maturity of their cybersecurity governance and their compliance with the requirements of Regulation S-P. This means:

• Understanding the information that the entity (and its vendors) process and who has access this data;
• Protecting data through administrative, physical, technical and other safeguards;
• Conducting risk assessments to identify those systems and assets warranting enhanced protections;
• Implementing and testing incident detection and response capabilities and processes; and
• Assigning clear responsibility for maintenance, periodic review, and updates with respect to the entity’s cybersecurity governance program as well as the information included in initial, annual, and revised privacy notices required to be provided under Regulation S-P.

To view the order against the Cetera Entities, click here.

To view the order against Cambridge, click here.

To view the order against KMS, click here.