The SEC said that Cetera turned on multi-factor authentication for employee cloud-based email accounts after a January 2018 email breach, but many contractor representatives’ accounts did not have the authentication turned on, even though it was required by the Cetera entities in their written procedures to be turned on “wherever possible.”
“Although these email account takeovers do not appear to have resulted in any unauthorized trades or transfers in brokerage customers’ or advisory clients’ accounts,” the SEC notice said, “Cetera entities violated the safeguards rule because their policies and procedures to protect customer information and to prevent and respond to cybersecurity incidents were not reasonably designed to meet these objectives, specifically as applied to independent contractor representatives and offshore contractors.”
Cetera is headquartered in El Segundo, Calif.