Regulatory Intelligence
X

Eight Firms Settle SEC Charges for Customer PII Exposures

The SEC sanctioned eight firms in three separate actions for cybersecurity deficiencies that resulted in the exposure of the personally identifying information ("PII") of thousands of customers and clients. The sanctioned firms, each of which was registered with the SEC as a broker-dealer, an investment adviser, or both, settled the SEC charges.

In the first order, which sanctioned five related subsidiary entities of a corporate parent, the SEC found that between November 2017 and June 2020 unauthorized third parties took over the cloud-based email accounts of more than 60 of the related entities' employees, resulting in the exposure of the PII of over 4,000 customers and clients. The SEC stated that despite having policies requiring multifactor authentication ("MFA") when possible, none of the email accounts that were compromised had MFA. The SEC also found that in some of the breach notifications sent to customers affected by the security breaches, the breaches were referred to as "recent," and the entities misrepresented that they learned of the incidents two months before sending the notifications when it was at least six months following the incidents.

As a result of its findings, the SEC determined that the firms violated Section 206(4) ("Prohibited transactions by investment advisers") of the Advisers Act, IAA Rule 206(4)-7 ("Compliance procedures and practices") and Regulation S-P Rule 30(a) ("Procedures to safeguard customer records and information; disposal of consumer report information").

In the second order, which sanctioned two related firms, the SEC found that between January 2018 and July 2021 third parties took over the cloud-based email accounts of more than 121 of the firms' independent contractor representatives, exposing the PII of over 2,000 customers. Despite learning of the email compromises in January 2018, the firms failed to put in place improved firm wide security procedures for cloud-based email accounts, including MFA, resulting in the exposure and potential exposure of additional customer and client information.

In the third order, which sanctioned one firm, the SEC found that between September 2018 and December 2019 unauthorized third parties accessed the email accounts of 15 of the firm's financial advisers, which led to the exposure of the PII of approximately 4,900 customers and clients. In addition, the SEC determined that despite first learning of an account breach in November 2018, the firm did not adopt written policies and additional firm wide security measures until May 2020, and those measures were not implemented until August 2020. The SEC stated that as a result, the PII of thousands of additional customers was potentially and actually exposed.

As a result of its findings in the second and third orders, the SEC determined that the three firms violated Regulation S-P Rule 30(a).

To settle the charges, all eight entities agreed to (i) cease and desist from further violations and (ii) a censure. The entities subject to the first order agreed to pay a $300,000 penalty, the entities subject to the second order agreed to pay a $250,000 penalty and the entity subject to the third order agreed to pay a $200,000 penalty.

Primary Sources

  1. SEC Press Release: SEC Announces Three Actions Charging Deficient Cybersecurity Procedures
  2. SEC Order: Cetera Advisor Networks LLC, et al.
  3. SEC Order: Cambridge Investment Research, Inc. and Cambridge Investment Research Advisors, Inc.
  4. SEC Order: KMS Financial Services, Inc.

Premium Content

Available only to Premium subscribers.

 

Join Premium

Regulatory Intelligence combines regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.

Request a Free Trial

Tags

Regulated Activities
Data Protection / Cybersecurity Privacy Supervision / Compliance
Sub-Activity
Consumer Privacy
Regulated Entities
Adviser / CTA / CPO Broker-Dealers
Body of Law
Securities Law
Jurisdiction
US - Federal
Organization
SEC