SEC fines brokerage firms for email attacks that exposed client data – TechCrunch

the US Securities Commission has fined several brokerage firms a total of $ 750,000 for exposing the sensitive personally identifiable information of thousands of customers and clients after hackers took over employee email accounts.

A total of eight entities belonging to three companies have been sanctioned by the SEC, including Cetera (Advisor Networks, Investment Services, Financial Specialists, Advisors and Investment Advisers), Cambridge Investment Research (Investment Research and Investment Research Advisors) and KMS Financial. Services.

On Press release, the SEC announced that it had sanctioned companies for flaws in their cybersecurity policies and procedures that allowed hackers to gain unauthorized access to cloud-based email accounts, exposing the personal information of thousands of customers and clients in each company.

In the Cetera case, the SEC said the cloud-based email accounts of more than 60 employees were infiltrated by unauthorized third parties for more than three years, exposing at least 4,388 personal customer information.

The order states that none of the accounts had the protections required by Cetera’s policies, and the SEC also charged two of Cetera’s entities with sending notifications of default to clients containing “misleading language suggesting that the notices were they issued much earlier than they actually were after discovery. ” of the incidents “.

The SEC’s order against Cambridge finds that the exposure of the personal information of at least 2,177 Cambridge clients and clients was the result of laxity. cyber security practices in the firm.

“Although Cambridge discovered the first takeover of an email account in January 2018, it did not adopt or implement enhanced security measures across the enterprise for its representatives’ cloud-based email accounts until 2021, which resulted in exposure and potential exposure of additional clients and client records and information, ”the SEC said.

The order against KMS is similar; The SEC’s order states that the data of nearly 5,000 clients and customers was exposed as a result of the company not adopting written policies and procedures that require additional company-wide security measures until May 2020.

“Investment advisers and brokers must meet their obligations regarding the protection of client information,” said Kristina Littman, chief of the Cyber ​​Unit in the SEC’s Compliance Division. “It is not enough to write a policy that requires enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

All parties agreed to resolve the charges and not to commit future violations of the charged provisions, without admitting or denying the SEC’s findings. As part of the settlements, Cetera will pay a fine of $ 300,000, while Cambridge and KMS will pay fines of $ 250,000 and $ 200,000 respectively.

Cambridge told TechCrunch that it does not comment on regulatory matters, but said it has and maintains a comprehensive information security group and procedures to ensure customer accounts are fully protected. Cetera and KMS have yet to respond.

This latest action by the SEC comes just weeks after the Commission ordered the London-based education and publishing giant Pearson to pay a $ 1 million fine for misleading investors about a data breach in 2018 in the company.

Leave a Reply

Your email address will not be published. Required fields are marked *