Published on Aug 30th, 2021 |

SEC Release | Cybersecurity

On August 30th, 2021, the SEC announced that they have charged eight firms in three actions for failures in their cybersecurity policies and procedures. There were five Cetera Entities charged, as well as Cambridge Investment Research Advisors Inc. and KMS Financial Services Inc. They were all Commission-registered as investment advisory firms, broker dealers, or both.

Curious as to what went wrong for these three firms?

Below are key points regarding cybersecurity policy and procedure failures for each firm.

Cetera Entities:

  • Failure to adopt written policies and procedures crafted to protect customer records and information (Violation of the “Safeguards Rule”).
  • Failure to design procedures for review of communications sent to impacted clients in violation of Section 206(4) of the Advisers Act and Rule 206(4)-7.
  • Email accounts of over 60 Cetera Entities’ personnel were taken over by unauthorized third parties. This ended up resulting is over 4,388 of Cetera Entities’ customers exposed to personally identifiable information stored in the compromised email accounts.
    • None of those accounts had multi-factor authorization (MFA) as well. However, at the start of 2018, Cetera stated that MFA was required wherever it can be applicable.
  • They had a large number of security tools to minimize these higher risks, but they failed to implement these tools and exposed their customers to personally identifiable information to unreasonable risks.
  • Misleading template language was sent from Cetera’s breach notification to the firms’ clients.

Cambridge Investment Research Advisors Inc.:

  • Failure to adopt written policies and procedures crafted to protect customer records and information (Violation of the “Safeguards Rule”).
  • Over 121 Cambridge independent contractor representatives were taken over by third parties which resulted in over 2,177 customers’ personally identifiable information stored in the compromised email accounts and potentially exposed to another 3,800 customers’ personally identifiable information.
  • The firm failed to adopt and implement firm wide enhancements to their security for cloud-based email accounts when they first discovered an email account takeover in January 2018.
    • Failure to use MFA for all of their users until 2021 resulted in exposure of sensitive customer records and information.

KMS Financial Services Inc.:

  • Failure to adopt written policies and procedures crafted to protect customer records and information (Violation of the “Safeguards Rule”).
  • Between September 2018 and December 2019, unauthorized third parties had access to 15 KMS financial adviser email accounts which exposed the customer records and information, including personally identifiable information on around 4,900 KMS customers.
  • Their incident response policy was not revised in a prompt manner to certify protection of customer personally identifiable information.
  • The firm failed to adopt written policies and procedures for two years as they had found the first email account compromise in November 2018.
    • Their policies and procedures were not adopted until May 2020 for the KMS email users, and they were not completely adopted until August 2020.
    • Throughout 2019, there was exposure of thousands of KMS customers sensitive records and information including personally identifiable information that lasted until August 2020.

All three firms were ordered with a violation of Rule 30(a) of Regulation S-P (known as the Safeguards Rule). This rule was designed to protect confidential customer information. The Cetera Entities (Cetera Advisors LLC and Cetera Investment Advisors LLC) also violated Section 206(4) of the Advisers Act and Rule 206(4)-7 in connection with their breach notifications to clients.

In conclusion, the result of these violations was a $200,000 penalty for KMS Financial Services Inc., $250,000 penalty for Cambridge Investment Research Advisors Inc., and a $300,000 penalty for Cetera Entities.

To learn more about the three firms charges, as well as the SEC’s insights, click here!

Who is Vigilant and what do they have to offer?

Vigilant is a full-service Investment Management Solutions Firm.

Vigilant offers core solutions that you can find here:

  • Compliance Solutions
    • Investment Adviser
    • Mutual Fund
    • Private Equity
    • Hedge Funds
    • Exchange Traded Funds
    • Broker Dealer