Eight US investment firms fined over inadequate cyber security policies

Failures in the companies’ cyber security practices resulted in the leak of thousands of customer and client records

The US Securities and Exchange Commission (SEC) has fined eight investment companies for failures in their cyber security policies and procedures that resulted in the exposure of personal information belonging to thousands of customers and clients.

The companies, which include entities owned by investment groups Cetera, Cambridge, and KMS, have all agreed to settle, according to the SEC, with fines of $300,000, $250,000, and $200,000 respectively.

The commission stated that between November 2017 and June 2020, cloud-based email accounts associated with over 60 Cetera entity personnel were taken over by unauthorised third parties, resulting in the exposure of personally identifying information of at least 4,388 customers and clients.

The SEC found that none of the accounts were protected in a manner consistent with the company’s policies, and that its breach notifications sent to its clients included “misleading language suggesting the notifications were issued much sooner than they actually were after discovery of the incidents”.

The SEC said that between January 2018 and July 2021, cloud-based email accounts of over 121 Cambridge representatives were taken over by unauthorised third parties, resulting in the exposure of information belonging to at least 2,177 Cambridge customers and clients. It added that the company “failed to adopt and implement-firm wide enhanced security measures” for its email accounts until 2021, despite discovering the first email account takeover in January 2018.

Lastly, between September 2018 and December 2019, cloud-based email accounts of 15 KMS financial advisers or their assistants were taken over by unauthorised third parties, with around 4,900 KMS customer and client records being leaked. The SEC stated that KMS “failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020” and did not implement these fully across the company until August 2020, placing additional customer and client records and information at risk.

Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC, were all sanctioned as part of the ruling, as well as Cambridge Investment Research Inc., Cambridge Investment Research Advisors Inc., and KMS Financial Services Inc.

Related Resource

The secure cloud configuration imperative

The central role of cloud security posture management

The secure cloud configuration imperativeWatch now

"Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information," said Kristina Littman, chief of the SEC Enforcement Division's Cyber Unit. "It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."

In June, the SEC launched an investigation into the SolarWinds attack, exploring whether some organisations did not disclose they had been impacted by the breach. Additionally, it was investigating the policies belonging to certain companies to see whether they are designed to protect customer information. In the US, securities law requires companies to share material information that could affect their share prices, including cyber breaches.

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

Microsoft mitigated 'largest ever' 2.4Tbps DDoS attack
distributed denial of service (DDOS)

Microsoft mitigated 'largest ever' 2.4Tbps DDoS attack

12 Oct 2021
TSMC vows not to share sensitive customer data following US request
Policy & legislation

TSMC vows not to share sensitive customer data following US request

7 Oct 2021
US Army selects Palantir to advance Capability Drop 2
Data & insights

US Army selects Palantir to advance Capability Drop 2

6 Oct 2021
Tesla ordered to pay over $130m to former worker after racism lawsuit
Careers & training

Tesla ordered to pay over $130m to former worker after racism lawsuit

5 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021