Regulator Cites Email Takeovers, Inadequate Incident Response
The U.S. Securities and Exchange Commission sanctioned eight financial firms for alleged failures related to cybersecurity policies and procedures, each stemming from email account takeovers and related incident response, the regulator announced this week.
The sanctioned firms did not admit or deny the commission’s findings, but “agreed to cease and desist from future violations of the charged provisions, to be censured and to pay a penalty,” according to the SEC. Cumulative fines total $750,000.
The SEC says related email account takeovers did not appear to result in unauthorized trades or fund transfers. The commission-registered firms include five entities of the El Segundo, California-based shared services organization Cetera; two entities of the Fairfield, Iowa-based financial advisory firm Cambridge; and Seattle-based investment advisory firm KMS. Specific entities include:
- Cetera Advisor Networks LLC;
- Cetera Investment Services LLC;
- Cetera Financial Specialists LLC;
- Cetera Advisors LLC;
- Cetera Investment Advisers LLC;
- Cambridge Investment Research Inc.;
- Cambridge Investment Research Advisors Inc.;
- KMS Financial Services Inc.
The Cetera entities will pay a $300,000 penalty; Cambridge will pay a $250,000 penalty; and KMS will pay a $200,000 penalty, the SEC says.
A spokesperson for the SEC did not comment further on its findings. A representative for Cambridge says the firm does not comment on regulatory matters. The other financial firms could not immediately be reached for comment.
Order Against Cetera
The SEC says between November 2017 and June 2020, cloud-based email accounts of over 60 Cetera personnel were compromised by unauthorized third parties, resulting in the exposure of personally identifiable information of at least 4,388 customers and clients.
Its order says that, similar to the other sanctioned entities, accounts were taken over “via phishing, credential stuffing or other modes of attack.” And “none of the compromised [Cetera] email accounts had multifactor authentication turned on,” it states, despite being required “where possible” since 2018.
The SEC says the compromised accounts “were [not] protected in a manner consistent with the Cetera Entities’ policies.” The regulator says two entities sent breach notification letters to clients with “misleading language” around initial incident detection – including “template language” that inaccurately labeled the incident as “recent.”
In its order, the SEC alleges that the Cetera entities’ policies and procedures “were not reasonably designed” to protect clients.
“Cetera Entities had a significant number of security tools at their disposal that allowed them to implement controls that would mitigate these higher risks,” the order alleges. “However, [it] failed to use these tools in the manner tailored to their business, exposing their customers’ PII to unreasonable risk.”
The SEC’s Cambridge order alleges that between January 2018 and July 2021, cloud-based email accounts of more than 121 Cambridge representatives were “taken over by unauthorized third parties,” with PII exposure of at least 2,177 customers and clients.
“Although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021,” the SEC states. This included the adoption of multifactor authentication, which became a requirement for cloud-based email accounts in 2021.
A Cambridge spokesperson tells ISMG that “Cambridge has and does maintain a robust information security group and procedures to ensure clients’ accounts are fully protected.”
In its findings on KMS, the SEC says between September 2018 and December 2019, email accounts of 15 of the firm’s financial advisers or their assistants were compromised by unauthorized third parties, exposing the PII of approximately 4,900 customers and clients.
“KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020, and did not fully implement those additional security measures … until August 2020,” the SEC states.
The KMS order notes, “[The firm’s] incident response policy was not reasonably designed to ensure that the email account compromises were remediated in a timely manner to ensure the protection of customer PII.”
‘Must Fulfill Obligations’
Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit, says, “Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information.
“It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are partially implemented, especially in the face of known attacks.”
Additionally, security experts say the SEC’s actions preview future regulatory enforcement around cybersecurity.
John Berry, former associate regional director for the SEC’s Los Angeles office and currently an attorney in private practice, adds, “These recent cases show that the SEC continues to be willing and interested in going after companies or firms that [it] believes do not have strong enough controls in place to stop cyberattacks, even if they are victims of the attacks themselves.”
Alec Alvarado, an intelligence officer with the U.S. Army Reserve and the threat intelligence team lead at the security firm Digital Shadows, says, “Account takeover continues to emerge as a significant problem for organizations as the exposed credential database grows. Threat actors can use brute-force tools with known exposed passwords to conduct account compromises.”
He adds, “[The SEC’s actions] reaffirm the expectation that organizations should be following through with their claims of data protection. Following basic security practices is a good start in avoiding data loss incidents, which continue to be prevalent.”
Similarly, Sounil Yu, a visiting fellow for the National Security Institute at George Mason University and CISO at the security firm JupiterOne, says, “The SEC actions show that they are accelerating the use of their enforcement powers to penalize those who are being lackadaisical in their cybersecurity posture.
“The SEC penalties signal that their patience and tolerance for inadequate cybersecurity controls is wearing thin. Companies should expect greater regulatory scrutiny from the SEC … and should be proactive in developing a robust risk management program.”
That scrutiny also extends to the cryptocurrency space, particularly decentralized finance, which does not rely on intermediaries to conduct financial services. This week, the SEC announced it has contracted with the blockchain analytics firm AnChain.AI to monitor illicit activity involving smart contracts. Legal experts say the move previews imminent cryptocurrency regulation (see: SEC to Monitor Illicit Activity on DeFi Platforms).