Three independent brokerages received slaps on the wrists from the SEC after hackers breached advisors’ emails and stole personal information about thousands of clients.
Wall Street’s regulator
The firms are:
KMS Financial Services of Seattle, WashingtonCetera Entities of El Segundo, California (comprised of Cetera Advisor Networks, Cetera Investment Services, Cetera Financial Specialists, Cetera Advisors and Cetera Investment Advisers)Cambridge Investment of Fairfield, Iowa (comprised of Cambridge Investment Research and Cambridge Investment Research Advisors)
All three companies allegedly violated the SEC’s “Safeguards Rule” of Regulation S-P, which requires firms to adopt written policies and procedures to protect the privacy of customers’ personal information and data. The firms neither admitted nor denied guilt.
"Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information," said Kristina Littman, chief of the SEC Enforcement Division's Cyber Unit, in the release. "It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."
The companies were each censured, ordered to cease and desist from committing violations, and ordered to pay civil money penalties to the SEC — $200,000 for KMS, $300,000 for Cetera and $250,000 for Cambridge Investments.
KMS Financial Services
Between September 2018 and August 2020, KMS employees and 400 advisors who were contract employees used a cloud-based email system for all communications. They regularly sent and received emails containing customers’ personal information, including Social Security numbers, driver's license numbers and bank account details. KMS advisors also stored customer data in cloud-based email files.
KMS advisors were supposed to adhere to a company policy that required strong passwords, secure wireless networks, antivirus software protection, secure backup and stored data, and encrypted hard drives. The company policies also allegedly recommended -— but did not mandate — multi-factor authentication, known as MFA.
Nevertheless, over nearly two years, 15 advisors or their assistants were hacked by third parties that accessed the email accounts “and had the ability to take action in the accounts.”
Approximately 4,900 KMS customer accounts were exposed. Some emails containing customer details were forwarded to suspicious email addresses, and some customers received phishing emails that asked them to wire funds to a bank account, enter their driver’s license or Social Security numbers to access a document, or click a link to view an investment recommendation. The phony emails “would grant access to the customer’s computer,” court documents allege.
KMS eventually ordered the advisors to reset their email passwords, block the forwarding of emails and use multi-factor authentication. But KMS waited nearly two years until it discovered the hacks to take those steps.
The “security measures were not fully implemented firm-wide until August 2020, which was approximately 21 months after discovery of the first breach, in which approximately 2,700 emails of one KMS financial adviser were exposed for a period of 26 days during which unauthorized third parties forwarded the financial adviser’s emails to an email address outside of the firm,” the court document alleges.
KMS hired two forensic firms to investigate the email hacks in July 2018. The firms recommended that KMS hurry plans to install multi-factor authentication for its independent contracts.
But despite the recommendation, “KMS failed to adopt written policies and procedures requiring additional firm-wide security measures for all KMS email users, such as MFA, until May 2020, when it issued new policies and procedures.” While KMS had begun implementing additional security measures, such as MFA, it did not fully implement those measures firm-wide until August 2020.
“This timeline placed at risk the security of additional customer records and information,” court documents allege.
The 15 email account takeovers did not result in unauthorized trades or fund transfers to unauthorized parties, according to court documents.
Cetera Entities
Similarly, 60 Cetera staffers’ email accounts were hacked between November 2017 and June 2020, exposing the personal data of 4,388 customers, according to separate court documents.
“At the time, none of these accounts had multi-factor authentication turned on, even though Cetera Entities’ own policies required MFA ‘wherever possible’ beginning in 2018,” according to court documents.
During the time period, Cetera Entities’ staff and independent contractors, including offshore contractors, used a cloud-based email service to routinely communicate with and store customer data. Cetera Entities’ corporate parent, Cetera Financial Group (CFG), managed employee and offshore contractor email accounts, but not all contractor accounts.
“Cetera Entities violated the Safeguards Rule because their policies and procedures to protect customer information and to prevent and respond to cybersecurity incidents were not reasonably designed to meet these objectives, specifically as applied to independent contractor representatives and offshore contractors,” the SEC alleged. The regulator added that while Cetera “had a significant number of security tools” to “implement controls that would mitigate these higher risks,” the company didn’t use them immediately. However, Cetera Entities failed to use these tools in the manner tailored to their business, exposing their customers’ PII to unreasonable risks,” the SEC alleges.
Two Cetera units, Cetera Advisors and Cetera Investment Advisers, also failed to adopt reasonably designed policies regarding the review of communications to advisory clients, the SEC said.
“This failure resulted in sending breach notifications to the firms’ clients that included misleading template language suggesting that the notifications were issued much sooner than they actually were after the discovery of the incidents,” court documents allege.
Beginning in February 2018, Cetera Entities required MFA to be turned on “wherever possible.” In October 2018, the policy was amended to require MFA “wherever possible, but at a minimum for privileged or high-risk access,” court documents allege.
Some 32 email accounts of Cetera contractors were hacked in November and December 2017, court documents allege. In January 2018, Cetera turned on multi-factor authentication for staff employees’ cloud-based email accounts.
Two months later, Cetera turned on the added layer of protection for 6,650 contractor email accounts. Yet in March 2018, the company identified 1,500 email accounts used by contractor representatives or their employees that still did not have the extra protection, court documents allege.
In October and December 2018, the personal data of 1,831 Cetera customers handled by two contract advisors without MFA was exposed. Hackers took over the email accounts of an additional 23 contract advisors during the first half of 2018, and of one contract advisor during the second half of 2018, resulting in 199 clients having their data exposed, according to court documents.
In 2019, another two email accounts of contract advisors were hacked, exposing 16 customers. In the first half of 2020, three more contractors’ email accounts were breached, exposing 680 customers.
“None of the compromised email accounts had MFA turned on, despite Respondents’ 2018 policies requiring the use of MFA ‘wherever possible,’” court documents allege.
According to court documents, Cetera did not ask offshore contractor email accounts to implement multi-factor authentication until the end of 2019. Between 2018 and 2019, four such email accounts were hacked, and two of those incidents resulted in the exposure of 1,662 customer PII.
Cetera Entries also allegedly sent 220 breach notifications to customers that inaccurately stated the date of the hacks. The notifications referred to the incidents as “recent” and said that advisors had learned about the breaches only two months before the notification. The advisors had known at least six months earlier, court documents allege.
The breach notifications “created a misleading impression that the incidents had occurred much more recently than they had and that each firm had learned of the incidents and promptly notified its customer,” court papers said.
Cambridge Investment
Cambridge Investment allegedly saw 121 email accounts hacked between January 2018 and July 2021. At least 2,177 customers were exposed, court documents allege.
Though Cambridge Investment discovered the first email hack in January 2018, it did not adopt firm-wide enhanced security measures for cloud-based email accounts until 2021, “resulting in the exposure and potential exposure of additional customer and client records and information,” the SEC said.
After Cambridge Investment discovered the hack, it suspended the affected independent representatives’ accounts, reset their passwords and recommended that multi-factor authentication be used for the affected accounts. But the firm “did not require any other enhanced security measure to prevent similar compromises in the future,” court documents allege. “Although some of the independent representatives followed Cambridge’s recommendation and implemented MFA, many did not.”
In April 2021, Cambridge began to require multi-factor authentication for all cloud-based email accounts as of July 1, 2021.
Cetera Entities and Cambridge Investment did not comment, and KMS Financial did not respond to media requests.
