The SEC levied fines and penalties on each firm ranging from $200,000 to $300,000.
"Investment advisors and broker-dealers must fulfill their obligations concerning the protection of customer information," Kristina Littman, chief of the SEC Enforcement Division's cyber unit, said in a statement. "It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."
According to the SEC's order against the Cetera companies, cloud-based email accounts of over 60 Cetera personnel were taken over by unauthorized third parties, resulting in the exposure of at least 4,388 customers’ and clients’ personal information between November 2017 and June 2020.
None of the accounts “were protected in a manner consistent with" Cetera policies the SEC found. The SEC also discovered Cetera sent breach notifications to each client that were misleading, suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents.
The SEC's order against Cambridge found that the cloud-based email accounts of over 121 Cambridge reps were taken over by unauthorized third parties, resulting in the exposure of at least 2,177 Cambridge customers and clients between January 2018 and July 2021.
The SEC's order found that “although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts until 2021, resulting in the exposure and potential exposure of additional customer and client records and information.”