SEC Announces Three Actions Charging Deficient Cybersecurity Procedures

SEC Announces Three Actions Charging Deficient Cybersecurity Procedures

Share on facebook
Share on twitter
Share on linkedin
Share on email
Share on print

On August 30, 2021, the United States Securities and Exchange Commission (“SEC”) sanctioned eight firms in three separate actions for cybersecurity deficiencies that resulted in a breach of personal information of thousands of clients across the firms. The firms sanctioned include Cetera Advisor Networks LLC and its related entities (“Cetera”), Cambridge Investment Research, Inc. and related entities (“Cambridge”), and KMS Financial Services, Inc. (“KMS”). These SEC enforcements actions are reflective of an increasing trend in examining and finding deficiencies in investment advisory firms’ cybersecurity programs. Information security is an examination priority for the SEC and maintaining a sufficient cybersecurity program to protect firm and client information is more important than ever.

Included in the press release is a quote from Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit. “Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information. It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

Rule 30(a) of Regulation S-P (the “Safeguards Rule”) requires registered broker-dealers and investment advisers to adopt written policies and procedures reasonably designed to:

  • Insure the security and confidentiality of customer records and information.
  • Protect against any anticipated threats or hazards to the security or integrity of customer records and information.
  • Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

The below facts were applicable to each action:

  • Cetera violated the Safeguards Rule because their policies and procedures to protect customer information and to prevent cybersecurity incidents were not reasonably designed to meet these objectives. Cetera’s policies were especially lacking with respect to independent contractor representatives and offshore contractors.
    • Inadequate Policies & Enforcement
      • Nearly 60 Cetera employees or contractor representatives had compromised email accounts due to phishing, credential stuffing or other modes of attack. Additionally, although Cetera policies required use of multi-factor authentication (“MFA”), many of the compromised accounts did not utilize MFA, even after being requested to turn it on by the firm. In all, the personal identifying information (“PII”) of more than 4,000 customers was exposed.
    • Breach Notification
      • Cetera issued breach notifications to customers with exposed PII. However, the SEC found that the language used in the notifications was templated and misleading as to the timing of the breach, indicating that the breach was more recent than it actually was (Cetera had knowledge six months prior). Additionally, firm policies required for proper review of the notifications to be obtained before sending, which did not happen.
    • Cambridge violated the Safeguards Rule by failing to adopt firm-wide enhanced security measures for cloud-based email accounts of its independent representatives in its policies, which led to the exposure of PII for customers.
      • Inadequate Policies & Response to Breach
        • Cambridge personnel had discovered that the email accounts of more than 100 representatives had been compromised by phishing, credential stuffing or other modes of attach. This led to emails being forwarded to unauthorized third parties outside of Cambridge or to other phishing attempts to third parties. These attacks, in all, led to compromised PII for more than 2,000 customers. In response, Cambridge began to suggest use of enhanced security measures, such as MFA, but did not require it until April 2021.
      • KMS violated the Safeguards Rule by failing to adopt written policies and procedures to prevent and respond to security breaches.
        • Inadequate Policies & Response to Breach
          • Fifteen KMS email accounts were accessed by unauthorized third parties, which resulted in compromised PII for approximately 4,900 customers. Representatives were required to follow the firm’s “Privacy Policy and Required Security Safeguards,” which required financial advisers to “conduct your business practices in a way that safeguards the confidentiality of your client’s identity, including protecting all sensitive client information” and to “periodically review your internal business policies to make sure they are adequately designed to protect sensitive client information.” Enhanced security measures were not required by the firm until August 2020, about 21 months after discovery of the breach.

All of the firms in these actions were cited for inadequate policies designed to prevent cybersecurity incidents, and for inadequate responses to such breaches. Cetera was also cited for sending inadequate breach notifications to affected customers. Greyline highly recommends that firms revisit their cybersecurity policies for compliance with the Safeguards Rule and effective security measures. Firms should also be enforcing cybersecurity policies both in prevention of and in response to breaches of data.

Click here to read the SEC press release.

Related Posts

Darren Mooney

Partner and Co-Head of Business Development

Darren Mooney is a Partner and the Co-Head of Business Development at Greyline. Before joining Greyline, Darren served as deputy chief compliance officer of Partner Fund Management where he held primary responsibility for the compliance program of the second-largest hedge fund in the Bay Area. Prior to that, Darren spent five years providing compliance consulting services at Cordium and then ACA Compliance Group, where he led the company’s San Francisco office and west coast operations. In addition to providing ongoing consulting services to a variety of investment managers, including hedge fund, private equity, venture capital, real estate, quantitative and other wealth managers, Darren also regularly guided clients through the SEC registration process, implemented tailored compliance programs, supported clients’ live SEC exams, and served as an SEC-mandated independent compliance consultant following an SEC enforcement action. Darren’s other experience includes serving as deputy chief compliance officer and associate counsel at F-Squared Investments where he directly supported the compliance program during the investigation and subsequent enforcement regarding historical advertising practices. Darren has a B.S. in Economics from the University of Delaware and a J.D. from Suffolk University Law School. He is a member of the Massachusetts bar.

Annie Kong

Partner and Head of Venture Capital
Annie Kong is a Partner and Head of the Venture Capital Division at Greyline. She provides ongoing compliance consulting to investment advisers and manages client relationships. Prior to joining Greyline, Annie was part of compliance and operations at a long-only manager-of-managers that advised pension fund clients. While there, she conducted compliance and operational due diligence on SEC-registered investment advisers on the platform. She also oversaw and counseled on various legal matters across the firm. Annie has a B.A. in Economics from the University of California, San Diego, and a J.D. from the University of San Diego School of Law. She is an active member of the State Bar of California.
Greyline is pleased to announce that we are the recipient of the 2021 HFM U.S. Service Award in the Best Technology Firm – Newcomer category.