SEC Sanctions to get brokerages and money managers to better protect their clients’ personal information

By Dylan TokarAug. 30, 2021 6:22 pm WSJ

Securities regulators on Monday sanctioned three financial advisory firms over email account break-ins that exposed the personal information of thousands of customers.

The enforcement actions are the latest example of the U.S. Securities and Exchange Commission penalizing brokerages and money managers over hacks. The SEC alleged the three firms failed to implement adequate policies to protect customer information and respond to cybersecurity risks. 

“It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks,” Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit, said in a statement.

The SEC in three separate enforcement actions fined five entities associated with Cetera Financial Group; two associated with Cambridge Investment Research Inc.; and KMS Financial Services Inc. Cetera will pay a $300,000 penalty, while Cambridge will pay $250,000 and KMS $200,000, according to the regulator.

The Cetera and Cambridge Investment firms, along with KMS, agreed to settle the SEC’s claims without admitting or denying the findings. A spokesman for Cambridge Investment said the firm didn’t comment on regulatory matters. Representatives of Cetera and KMS didn’t respond to requests for comment.

The cybersecurity failures at Cetera enabled hackers to take over the email accounts of more than 60 personnel, resulting in the personal information of at least 4,388 customers and clients being exposed, according to the regulator.

None of the accounts were protected in a manner consistent with Cetera policies, the SEC said. The agency also found that Cetera sent notifications about the breaches with misleading language.

Similar intrusions at Cambridge Investment and KMS led to at least 2,177 and 4,900 customers and clients having their personal information exposed, respectively, according to the SEC.

The SEC said each of the firms sanctioned Monday had violated a so-called safeguards rule, which requires that broker-dealers and investment firms registered with the agency adopt written policies and procedures that protect customer records and information.

All of the entities sanctioned Monday were registered as broker-dealers, investment advisory firms or both, the agency said.

The SEC brought one of the first such cases against broker-dealer Voya Financial Advisors Inc. in 2018. The enforcement action was the first to allege violations of an identity theft red flags rule, which require firms to take steps to prevent identity theft, according to the SEC.