SEC Fines Cetera, Cambridge and KMS Over Email Account Hacks
The Securities and Exchange Commission has imposed a total of $750,000 in penalties and censured five Cetera Financial Group firms, Cambridge Investment Research and KMS Financial Services over cybersecurity lapses, according to an announcement on Monday.
Each of the firms violated the SEC’s Regulation S-P customer privacy rule and specifically its Safeguards Rule, according to the federal agency. It fined the Cetera entities, including Cetera Advisor Networks, Cetera Investment Services, Cetera Financial Specialists, Cetera Advisors, and Cetera Investment Advisers, $300,000. Cambridge agreed to pay a $250,000 penalty, and KMS paid a $200,000 penalty.
“It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks,” Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit, said in a statement.
The SEC noted that for each of the firms, no client harm, including unauthorized trades or fraud, appeared to have occurred as a result.
Between 2017 and 2020, email accounts of over 60 Cetera personnel, including brokers, were taken over by unauthorized parties, including through phishing and “credential stuffing,” the SEC said. Hackers were able to gain access in part because none of the accounts had set up multi-factor authentication even though Cetera policies required it in 2018. Over 4,388 of the Cetera entities’ customers’ emails were exposed.
“None of the taken over accounts were protected in a manner consistent with the Cetera Entities’ policies,” the SEC said in a statement.
The SEC also alleged that Cetera Advisors and Cetera Investment Advisers also sent affected clients breach notifications that included “misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents” in violation of the Advisers Act.
A spokesperson for Cetera Financial Group, which owns the five Cetera firms, did not return a request for comment.
At Cambridge Investment Research Advisors, hackers took over 121 broker email accounts between January 2018 and July 2021, exposing personal information of at least 2,177 clients. The issues were also due in part to lack of multi-factor authentication, the SEC said, and noted that the firm failed to take quick action to resolve the problem.
“[A]lthough Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021, resulting in the exposure and potential exposure of additional customer and client records and information,” the federal agency said.
A spokesperson for Fairfield, Iowa-based Cambridge, which has around 3,600 independent brokers, according to its site, said the company “has and does maintain a robust information security group and procedures to ensure client’s accounts are fully protected.”
At KMS, unauthorized third parties took over 15 of the firm’s financial advisors and their assistants’ cloud-based email accounts, exposing about 4,900 clients’ personal information, the SEC said.
“KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020, and did not fully implement those additional security measures firm-wide until August 2020, placing additional customer and client records and information at risk,” the SEC said.
A spokesperson for KMS, a Seattle-based subsidiary of Ladenburg Thalmann, which became part of independent broker-dealer conglomerate Advisor Group in 2020, did not return a request for comment.
Other brokerages have previously coped with potential leaks of customers’ personal information, including Morgan Stanley last year because of it being stored on decommissioned hardware, events that led the wirehouse to offer current and former wealth management customers two-year free subscriptions to a credit report monitoring service as compensation.