On August 30, 2021, the Division of Enforcement of the Securities and Exchange Commission (the “SEC”) sanctioned eight firms due to failures in their cybersecurity policies and procedures. Specifically, each order involved cybersecurity incidents that exposed customers’ personally identifiable information (“PII”). The firms sanctioned were broker dealers, investment advisers or both and all agreed to pay civil monetary penalties.
The SEC’s orders found that the firms violated Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”). The Safeguards Rule requires every broker-dealer and investment adviser registered with the SEC to adopt written policies and procedures reasonably designed to:
insure the security and confidentiality of customer records and information;
protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The first five firms, which included Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (together, “Cetera”), had over 60 email accounts that were taken over by unauthorized third parties, which in turn resulted in the exposure of over 4,388 customers’ PII. The SEC found that the compromised accounts were not protected in accordance with Cetera’s required policies and procedures.
Also, the SEC found that the cyber breach notifications sent to customers by the Cetera included misleading language. The SEC therefore found that Cetera had failed to adopt and implement reasonably designed procedures for review of communications sent to impacted clients in violation of Section 206(4) of the Investment Advisers Act of 1940 and Rule 206(4)-7 thereunder. This action demonstrates once again that misleading notices about cybersecurity issues may lead to liability for investment advisers and broker dealers.
The sixth and seventh actions involved Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (together, “Cambridge”). According to this SEC’s Order, email accounts of over 121 Cambridge representatives were taken over by unauthorized third parties, resulting in the PII exposure of at least 2,177 Cambridge customers.
The eighth action involved KMS Financial Services Inc. (“KMS”). In this Order, the SEC found that email accounts of 15 financial advisers or their assistants of KMS were taken over by unauthorized third parties, resulting in the PII exposure of approximately 4,900 KMS customers. Also, the SEC found that KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020, and did not fully implement those additional security measures firm-wide until August 2020.
In sum, these actions once again demonstrate that cybersecurity risk governance is on the SEC’s radar. The SEC is also reminding firms of their regulatory obligations related to Regulation S-P. Therefore, it is essential to update and implement cybersecurity policies and procedures.
If you have any questions about this Alert, or any other regulatory matters, do not hesitate to reach out to Daniel Viola (Partner – Head of the Regulatory Group) at 212.573.8038 or via email at dviola@sadis.com or to Nicole Arrow (Associate) at 212.573.8148 or via email at narrow@sadis.com.
