The Securities and Exchange Commission has fined three hybrid broker-dealers a total of $750,000, claiming that lax cybersecurity defenses allowed third parties to breach the email of reps and employees and gain access to the firms’ private customer information. The agency made the announcements in three administrative action notices released Monday.
The three firms—Cetera Advisor Networks, Cambridge Investment Research and KMS Financial Services (as well as their affiliates)—were fined for failing to develop supervisory procedures for their clients’ personally identifiable information and thus running afoul of safeguard rules. These failures led to thousands of clients having their information exposed to third parties after the companies’ email was breached, the SEC said.
The safeguards rule, or Regulation S-P, requires broker-dealers and investment advisors to write policies and create procedures to protect the confidentiality of customer records and throw up a defensive barrier against any anticipated threats.
KMS, a dually registered broker-dealer and investment advisor based in Seattle, ran afoul of Reg S-P when 15 investment advisor email accounts were accessed by unauthorized third parties between September 2018 and December 2019. The breach allowed outsiders to take over advisor emails and send phishing messages to clients. In some cases, customers received emails asking them to wire funds to a bank account, open hostile links or provide sensitive account numbers like driver’s license and Social Security numbers. According to the SEC, the firm recommended but did not require multi-factor authentication in its network security policies.
The breach left the personal information of 4,900 clients at the broker-dealer open to viewing, the SEC said. Though KMS spotted the problem in November 2018, the firm didn’t write procedures and create security measures for the entire organization until May 2020, the SEC claims, and didn’t actually put the policies into action until a few months later in August 2020. Until that time, the personal information of thousands clients was exposed and vulnerable, the agency said.
KMS was wholly owned by Ladenburg Thalmann Financial Services until February 2020, when the latter firm was bought by the Advisor Group. KMS was eventually absorbed into Securities America and its registrations were withdrawn. The SEC has censured KMS and slapped a $200,000 penalty on the firm.
The SEC also censured and imposed a fine on broker-dealer Cambridge Investment Research (and its RIA firm, Cambridge Investment Research Advisors) for violating Regulation S-P. The SEC says Cambridge failed to protect customers records when the cloud-based email accounts of more than 121 of its independent contractor reps were taken over by third parties from January 2018 to July 1, 2021, a breach that allowed unauthorized users to send messages and read the reps’ email contents and otherwise mimic the legitimate email owners. The breach exposed the personal information of 2,177 customers, the agency said. Cambridge spotted the breach early (in early 2018) yet also failed to put safeguards such as multi-factor authentication in place until later—in 2021, the SEC said.
The Cambridge subsidiaries, based in Fairfield, Iowa, were hit with a $250,000 fine.
The largest fine, at $300,000, was imposed on Cetera Advisor Network and four of its affiliates. The Cetera breach, between November 2017 and June 2020, affected the email of 60 employees at the various Cetera entities and exposed the sensitive personal information of 4,388 customers in compromised email accounts.
The SEC said that Cetera turned on multi-factor authentication for employee cloud-based email accounts after a January 2018 email breach, but many contractor representatives’ accounts did not have the authentication turned on, even though it was required by the Cetera entities in their written procedures to be turned on “wherever possible.”
“Although these email account takeovers do not appear to have resulted in any unauthorized trades or transfers in brokerage customers’ or advisory clients’ accounts,” the SEC notice said, “Cetera entities violated the safeguards rule because their policies and procedures to protect customer information and to prevent and respond to cybersecurity incidents were not reasonably designed to meet these objectives, specifically as applied to independent contractor representatives and offshore contractors.”
Cetera is headquartered in El Segundo, Calif.