The Securities and Exchange Commission (SEC) has sanctioned eight firms in three actions for failures in their cybersecurity policies and procedures. All firms involved were Commission-registered as broker dealers, investment advisory firms, or both.
Align has put together a brief synopsis of the events below. Read the full SEC press release here.
SEC levies heavy fines to eight firms in mini-class action Enforcement Proceeding, encompassing three separate actions.
According to an announcement released August 30, 2021 by the SEC, the cybersecurity failures resulted in email account takeovers exposing the personal information of thousands of customers and clients at each of the firms.
The eight firms, which have agreed to settle the charges, are: Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera Entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS). All were Commission-registered as broker dealers, investment advisory firms, or both.
The SEC's orders against each of the eight firms finds that they violated Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which is designed to protect confidential customer information. The SEC's order against the Cetera Entities also finds that Cetera Advisors LLC and Cetera Investment Advisers LLC violated Section 206(4) of the Advisers Act and Rule 206(4)-7 in connection with their breach notifications to clients.
“The failures involved are thematic of what has become the most common deficiency in the investment management industry since 2020; credential compromise," says John Araneo, Managing Director and General Counsel at Align. "Whether by way of credential stuffing, phishing attack or other means of social engineering, in the aggregate, the targeted firms lost control of almost two hundred (200) cloud based email accounts which in turn exposed varying amounts of PII for almost 10,000 client accounts in the aggregate. Ironically, the compromise itself, however egregious in scale, is not the smoking gun here but rather that the subject firms each: (a) failed to protect the accounts sufficiently, (b) could not demonstrate such accounts were in fact protected in accordance with the pertinent written policies of each target firm, and (c) failed to demonstrate responses that were either sufficient or prompt.”
Without admitting or denying the SEC's findings, each firm agreed to cease and desist from future violations of the charged provisions, to be censured and to pay a penalty. The Cetera Entities will pay a $300,000 penalty, Cambridge will pay a $250,000 penalty, and KMS will pay a $200,000 penalty.
Vinod Paul, Chief Operating Director at Align, explains, “We see these deficiencies every day with our takeaway business within the investment management community. Often these deficiencies are a direct result of cloud-based email systems that haven’t been configured correctly. The precise recipe for any fund manager of any size has to include cloud-based email systems that are configured with layers of security including dual factor authentication and password policies; active monitoring of the solution to ensure that standards and policies are enforced, and most importantly, proper training of the employee base to ensure they understand the changing threat landscape and their responsibilities/role to help protect their firm.”
Araneo continues: “Regardless of size, sophistication or level or resources, far too many managers continue to neglect cybersecurity and opt for solutions that are sold as 'turn-key,' but in fact are templated, commoditized and non-bespoke, making them entirely insufficient. The most successful fund managers we see in the ecosystem are those that take Cybersecurity Risk seriously and can articulate the basic anatomy of its Cybersecurity Program—however complex or simplistic. These are the firms that are winning in the ODD and regulatory examinations and leaving the majority of their brethren behind.”
Align Cybersecurity™, Align's leading-edge cloud services and robust cybersecurity advisory practice, can help safeguard your business from these kinds of breaches. It assesses and addresses evolving cybersecurity threats, and allows our clients to create customizable solutions that mitigate risk and compliance burdens while empowering secure, agile, mission-critical services.