Eight US investment firms fined over inadequate cyber security policies

A hand at a computer keyboard with a digital padlock above
(Image credit: Shutterstock)

The US Securities and Exchange Commission (SEC) has fined eight investment companies for failures in their cyber security policies and procedures that resulted in the exposure of personal information belonging to thousands of customers and clients.

The companies, which include entities owned by investment groups Cetera, Cambridge, and KMS, have all agreed to settle, according to the SEC, with fines of $300,000, $250,000, and $200,000 respectively.

The commission stated that between November 2017 and June 2020, cloud-based email accounts associated with over 60 Cetera entity personnel were taken over by unauthorised third parties, resulting in the exposure of personally identifying information of at least 4,388 customers and clients.

The SEC found that none of the accounts were protected in a manner consistent with the company’s policies, and that its breach notifications sent to its clients included “misleading language suggesting the notifications were issued much sooner than they actually were after discovery of the incidents”.

The SEC said that between January 2018 and July 2021, cloud-based email accounts of over 121 Cambridge representatives were taken over by unauthorised third parties, resulting in the exposure of information belonging to at least 2,177 Cambridge customers and clients. It added that the company “failed to adopt and implement-firm wide enhanced security measures” for its email accounts until 2021, despite discovering the first email account takeover in January 2018.

Lastly, between September 2018 and December 2019, cloud-based email accounts of 15 KMS financial advisers or their assistants were taken over by unauthorised third parties, with around 4,900 KMS customer and client records being leaked. The SEC stated that KMS “failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020” and did not implement these fully across the company until August 2020, placing additional customer and client records and information at risk.

Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC, were all sanctioned as part of the ruling, as well as Cambridge Investment Research Inc., Cambridge Investment Research Advisors Inc., and KMS Financial Services Inc.


The secure cloud configuration imperative

The central role of cloud security posture management


"Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information," said Kristina Littman, chief of the SEC Enforcement Division's Cyber Unit. "It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."

In June, the SEC launched an investigation into the SolarWinds attack, exploring whether some organisations did not disclose they had been impacted by the breach. Additionally, it was investigating the policies belonging to certain companies to see whether they are designed to protect customer information. In the US, securities law requires companies to share material information that could affect their share prices, including cyber breaches.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.