The U.S. Securities and Exchange Commission (SEC) this week announced sanctions against several companies over cybersecurity failures that resulted in email accounts getting hacked and the exposure of customer information.
A total of eight entities belonging to three companies have been sanctioned by the SEC, including Cetera (Advisor Networks, Investment Services, Financial Specialists, Advisors, and Investment Advisers), Cambridge Investment Research (Investment Research and Investment Research Advisors), and KMS Financial Services.
According to the SEC, Cetera exposed the personal information of at least 4,388 customers and clients between November 2017 and June 2020. In this timeframe, unauthorized third parties managed to hack into more than 60 cloud-based email accounts belonging to Cetera staff. The SEC was also unhappy with the fact that the breach notifications sent out by some of the Cetera companies were misleading in regards to when the breach was disclosed.
As for Cambridge Investment Research, the firms had more than 121 email accounts hijacked between January 2018 and July 2021, resulting in the exposure of information belonging to at least 2,177 customers and clients. While the first breach was discovered in January 2018, the SEC said Cambridge had failed to take action to improve protection for email accounts until 2021.
In the case of KMS, 15 financial advisers or their assistants had their email accounts hacked between September 2018 and December 2019, resulting in the exposure of information belonging to nearly 5,000 clients and customers. The SEC also determined that the company failed to implement additional security measures until August 2020.
The agency said each of the companies violated rules regarding the protection of confidential customer information, and Cetera also violated a rule related to breach notifications.
“Without admitting or denying the SEC’s findings, each firm agreed to cease and desist from future violations of the charged provisions, to be censured and to pay a penalty,” the SEC said.
Cetera will pay $300,000, Cambridge will pay $250,000, and KMS will pay a $200,000 penalty.