The Securities and Exchange Commission has fined three hybrid broker-dealers a total of $750,000, claiming that lax cybersecurity defenses allowed third parties to breach the email of reps and employees and gain access to the firms’ private customer information. The agency made the announcements in three administrative action notices released Monday.
The three firms—Cetera Advisor Networks, Cambridge Investment Research and KMS Financial Services (as well as their affiliates)—were fined for failing to develop supervisory procedures for their clients’ personally identifiable information and thus running afoul of safeguard rules. These failures led to thousands of clients having their information exposed to third parties after the companies’ email was breached, the SEC said.
The safeguards rule, or Regulation S-P, requires broker-dealers and investment advisors to write policies and create procedures to protect the confidentiality of customer records and throw up a defensive barrier against any anticipated threats.
KMS, a dually registered broker-dealer and investment advisor based in Seattle, ran afoul of Reg S-P when 15 investment advisor email accounts were accessed by unauthorized third parties between September 2018 and December 2019. The breach allowed outsiders to take over advisor emails and send phishing messages to clients. In some cases, customers received emails asking them to wire funds to a bank account, open hostile links or provide sensitive account numbers like driver’s license and Social Security numbers. According to the SEC, the firm recommended but did not require multi-factor authentication in its network security policies.
The breach left the personal information of 4,900 clients at the broker-dealer open to viewing, the SEC said. Though KMS spotted the problem in November 2018, the firm didn’t write procedures and create security measures for the entire organization until May 2020, the SEC claims, and didn’t actually put the policies into action until a few months later in August 2020. Until that time, the personal information of thousands clients was exposed and vulnerable, the agency said.
KMS was wholly owned by Ladenburg Thalmann Financial Services until February 2020, when the latter firm was bought by the Advisor Group. KMS was eventually absorbed into Securities America and its registrations were withdrawn. The SEC has censured KMS and slapped a $200,000 penalty on the firm.
The SEC also censured and imposed a fine on broker-dealer Cambridge Investment Research (and its RIA firm, Cambridge Investment Research Advisors) for violating Regulation S-P. The SEC says Cambridge failed to protect customers records when the cloud-based email accounts of more than 121 of its independent contractor reps were taken over by third parties from January 2018 to July 1, 2021, a breach that allowed unauthorized users to send messages and read the reps’ email contents and otherwise mimic the legitimate email owners. The breach exposed the personal information of 2,177 customers, the agency said. Cambridge spotted the breach early (in early 2018) yet also failed to put safeguards such as multi-factor authentication in place until later—in 2021, the SEC said.
The Cambridge subsidiaries, based in Fairfield, Iowa, were hit with a $250,000 fine.
The largest fine, at $300,000, was imposed on Cetera Advisor Network and four of its affiliates. The Cetera breach, between November 2017 and June 2020, affected the email of 60 employees at the various Cetera entities and exposed the sensitive personal information of 4,388 customers in compromised email accounts.