SEC fines three companies over hacked employee email accounts

The US Securities and Exchange Commission has fined three brokerage firms on Monday for neglecting to secure employee accounts, incidents that led to the exposure of their customers' data.

Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS) all settled with the SEC in three separate lawsuits [PDF: Cetera, Cambridge, KMS], the agency announced this week.

According to court documents, the three companies were hacked multiple times between 2017 and 2020, hid the intrusions, and failed to properly notify customers.

Cetera:

• 60 Cetera employees had cloud-based email accounts hacked between November 2017 and June 2020.
• The accounts exposed the data of at least 4,388 of its customers.
• The company used misleading language in its customer notification to suggest the notifications were issued sooner than they actually were.

Cambridge:

• 121 Cambridge employees had cloud-based email accounts hacked between January 2018 and July 2021.
• Hacks exposed the data of 2,177 Cambridge customers.
• The company improved security only in 2021, despite the earlier hacks.

KMS:

• 15 KMS employees had cloud-based email accounts hacked between September 2018 and December 2019.
• Hacks exposed the data of approximately 4,900 customers.
• SEC says KMS took months to bolster security measures, a process that started two years after the first hack, in May 2020, and finished in August of the same year.

The SEC said the three companies broke Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which requires companies to protect confidential customer information from hacks or accidental data leaks.

"Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information," said Kristina Littman, Chief of the SEC Enforcement Division's Cyber Unit.

"It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."

According to the settlements, the three companies also agreed to pay fines. Cetera will pay $300,000, Cambridge will pay $250,000, and KMS will pay $200,000, the SEC said.