The SEC handed down sanctions against eight firms this week for a slate of cybersecurity failures that resulted in the leakage of personal data for thousands of people.
Cetera Advisor Networks, Cetera Investment Services, Cetera Financial Specialists, Cetera Advisors and Cetera Investment Advisers (collectively, the Cetera Entities); Cambridge Investment Research and Cambridge Investment Research Advisors (collectively, Cambridge); and KMS Financial Services (KMS) were all named by the SEC for lackluster cybersecurity policies that led to "email account takeovers exposing the personal information of thousands of customers and clients at each firm."
According to an SEC statement, all of the firms are Commission-registered as broker-dealers, investment advisory firms, or both. The Cetera companies will pay a $300 000 penalty, Cambridge will pay a $250 000 penalty, and KMS will pay a $200 000 penalty.
The SEC said that from November 2017 to June 2020, 60 cloud-based email accounts of Cetera Entities employees were hacked into, leading to 4,388 customers and clients having their personal information leaked.
The SEC did not list the kind of personal information leaked in each case.
"None of the taken over accounts were protected in a manner consistent with the Cetera Entities' policies. The SEC's order also finds that Cetera Advisors LLC and Cetera Investment Advisers LLC sent breach notifications to the firms' clients that included misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents," the SEC statement said.
"According to the SEC's order against Cambridge, between January 2018 and July 2021, cloud-based email accounts of over 121 Cambridge representatives were taken over by unauthorized third parties, resulting in the PII exposure of at least 2,177 Cambridge customers and clients. The SEC's order finds that although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021, resulting in the exposure and potential exposure of additional customer and client records and information."
Fifteen KMS financial advisers had their accounts taken over, exposing almost 5000 customers' information between September 2018 and December 2019. KMS didn't change its cybersecurity policies until May 2020 and didn't even implement those changes until August 2020.
Kristina Littman, chief of the SEC Enforcement Division's Cyber Unit, said investment advisers and broker-dealers need to fulfill their obligations concerning the protection of customer information.
"It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks," Littman said.
All of the firms violated the Safeguards Rule protecting customer information, and Cetera violated other rules related to erroneous information included in their breach notification letters.
"Without admitting or denying the SEC's findings, each firm agreed to cease and desist from future violations of the charged provisions, to be censured and to pay a penalty," the SEC said in a statement.
Pravin Kothari, executive vice president at cybersecurity company Lookout, said organizations of all kinds need to be aware of the growing risk with their data in the cloud and always protect personal identifiable information and protected health information considering the growing number of regulations on data privacy of individuals, such as GDPR, PCI DSS, HIPAA and CCPA.
"Financial services have additional regulations for client data protection such as GLBA, SEC, FFIEC," Kothari added.
Digital Shadows threat intelligence team lead Alec Alvarado noted that the cases revealed the continued targeting of cloud-based email services often results in broader compromise.
Account takeover continues to emerge as a significant problem for organizations as the exposed credential database grows, Alvarado said.
"A second implication is the potential exposure that can result from a single compromise. Threat actors can easily conduct lateral movement and pivot across compromised infrastructure after they gain initial access," Alvarado told ZDNet.