The SEC sanctioned three financial advisory firms Monday over email account breaches that exposed the personal information of thousands of customers.
Photo Credit: Shutterstock
These enforcement actions are the latest example of government regulators penalizing financial managers and brokerages over hacks. The U.S. Securities and Exchange Commission alleged the three firms failed to protect customer information by implementing inadequate cybersecurity and risk response policies.
“It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks,” Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit, said in a statement.
The SEC fined Cetera Financial group, Cambridge Investment Research Inc., and KMS Financial Services Inc. in three separate enforcement actions. All three firms agreed to settle the SEC’s claims without admitting or denying the findings.
Cetera will pay a $300,000 penalty, while Cambridge will pay $250,000 and KMS $200,000, according to SEC documents.
The regulator stated Cetera’s cybersecurity failures allowed hackers to assume control of more than 60 personnel, resulting in the exposure of personal information for at least 4,388 customers and clients being exposed.
None of the accounts in question were protected in a manner consistent with Cetera’s stated policies, the regulator said. The agency also found that Cetera used misleading language when sending notifications about the breaches. Similar instances of intrusion at Cambridge Investment led to more than 7,000 customers and clients having their personal information exposed.
The SEC said each of the sanctioned firms violated a safeguards rule, which requires requires broker-dealers and investment firms registered with the agency to adopt written policies and procedures that protect customer records and information.
One of the first such cases by the SEC was brought against broker-dealer Voya Financial Advisors Inc. in 2018. The enforcement action was the first to allege violations of an identity theft red flags rule, which require firms to take steps to prevent identity theft, according to the SEC.
Read more articles from Haute Lawyer, visit https://hauteliving.com/hautelawyer
Source: https://www.wsj.com/articles/sec-sanctions-brokerages-over-email-break-ins-11630362156