On August 30, 2021, the United States Securities and Exchange Commission (“SEC”) sanctioned eight firms in three separate actions for cybersecurity deficiencies that resulted in a breach of personal information of thousands of clients across the firms. The firms sanctioned include Cetera Advisor Networks LLC and its related entities (“Cetera”), Cambridge Investment Research, Inc. and related entities (“Cambridge”), and KMS Financial Services, Inc. (“KMS”). These SEC enforcements actions are reflective of an increasing trend in examining and finding deficiencies in investment advisory firms’ cybersecurity programs. Information security is an examination priority for the SEC and maintaining a sufficient cybersecurity program to protect firm and client information is more important than ever.
Included in the press release is a quote from Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit. “Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information. It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
Rule 30(a) of Regulation S-P (the “Safeguards Rule”) requires registered broker-dealers and investment advisers to adopt written policies and procedures reasonably designed to:
- Insure the security and confidentiality of customer records and information.
- Protect against any anticipated threats or hazards to the security or integrity of customer records and information.
- Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The below facts were applicable to each action:
- Cetera violated the Safeguards Rule because their policies and procedures to protect customer information and to prevent cybersecurity incidents were not reasonably designed to meet these objectives. Cetera’s policies were especially lacking with respect to independent contractor representatives and offshore contractors.
- Inadequate Policies & Enforcement
- Nearly 60 Cetera employees or contractor representatives had compromised email accounts due to phishing, credential stuffing or other modes of attack. Additionally, although Cetera policies required use of multi-factor authentication (“MFA”), many of the compromised accounts did not utilize MFA, even after being requested to turn it on by the firm. In all, the personal identifying information (“PII”) of more than 4,000 customers was exposed.
- Breach Notification
- Cetera issued breach notifications to customers with exposed PII. However, the SEC found that the language used in the notifications was templated and misleading as to the timing of the breach, indicating that the breach was more recent than it actually was (Cetera had knowledge six months prior). Additionally, firm policies required for proper review of the notifications to be obtained before sending, which did not happen.
- Cambridge violated the Safeguards Rule by failing to adopt firm-wide enhanced security measures for cloud-based email accounts of its independent representatives in its policies, which led to the exposure of PII for customers.
- Inadequate Policies & Response to Breach
- Cambridge personnel had discovered that the email accounts of more than 100 representatives had been compromised by phishing, credential stuffing or other modes of attach. This led to emails being forwarded to unauthorized third parties outside of Cambridge or to other phishing attempts to third parties. These attacks, in all, led to compromised PII for more than 2,000 customers. In response, Cambridge began to suggest use of enhanced security measures, such as MFA, but did not require it until April 2021.
- KMS violated the Safeguards Rule by failing to adopt written policies and procedures to prevent and respond to security breaches.
- Inadequate Policies & Response to Breach
- Fifteen KMS email accounts were accessed by unauthorized third parties, which resulted in compromised PII for approximately 4,900 customers. Representatives were required to follow the firm’s “Privacy Policy and Required Security Safeguards,” which required financial advisers to “conduct your business practices in a way that safeguards the confidentiality of your client’s identity, including protecting all sensitive client information” and to “periodically review your internal business policies to make sure they are adequately designed to protect sensitive client information.” Enhanced security measures were not required by the firm until August 2020, about 21 months after discovery of the breach.
- Inadequate Policies & Response to Breach
- Inadequate Policies & Response to Breach
- Inadequate Policies & Enforcement
All of the firms in these actions were cited for inadequate policies designed to prevent cybersecurity incidents, and for inadequate responses to such breaches. Cetera was also cited for sending inadequate breach notifications to affected customers. Greyline highly recommends that firms revisit their cybersecurity policies for compliance with the Safeguards Rule and effective security measures. Firms should also be enforcing cybersecurity policies both in prevention of and in response to breaches of data.
Click here to read the SEC press release.