Written by The White Law Group• August 31, 2021• 6:38 pm• Blog, Current Investigations

Cetera, Cambridge, KMS Sanctioned for Cybersecurity Issues

Cetera SEC, Cambridge Investment cybersecurity, KMS Financial lawsuit, Cetera Investigation, Cambridge Investment complaints, KMS Financial cybersecurity, Cetera data breach, Cambridge Investment lawsuit, KMS Financial SEC charges, featured by top securities fraud attorneys, The White Law Group

SEC Sanctions Eight Broker Dealers/RIAs for Deficient Cybersecurity Protection

According to the Securities and Exchange Commission on August 30, the regulator has sanctioned eight broker-dealers/registered investment advisers for a lack of cybersecurity policies and procedures that reportedly caused email account takeovers exposing the personal information of thousands of customers.

The eight firms, which have agreed to settle the charges, are: Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera Entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS).

Between November 2017 and June 2020, the cloud-based email accounts of more than 60 Cetera personnel were reportedly taken over by unauthorized third parties, exposing personally identifying information of at least 4,388 customers and clients. None of the accounts were protected with Cetera entities’ policies, according to the SEC.

Further, the SEC claims that Cetera Advisors and Cetera Investment Advisers sent breach notifications to its clients that included misleading language suggesting that the notifications were issued “much sooner” than they actually were after discovering the incidents.

Between January 2018 and July 2021, the cloud-based email accounts of 121 Cambridge representatives were reportedly taken over, resulting in the exposure of at least 2,177 customers and clients, according to the SEC’s order.

The SEC claims that although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts until 2021, resulting in the exposure and potential exposure of additional client records and information.

Between September 2018 and December 2019, the email accounts of 15 KMS financial advisers or their assistants were taken over, resulting in the exposure of approximately 4,900 customers and clients.

The SEC claims that KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020 and did not fully implement those additional security measures firm-wide until August 2020, allegedly placing additional customer and client records and information at risk.

Each firm reportedly agreed to cease and desist from future violations, to be censured, and to pay a penalty, without admitting or denying the charges. The Cetera entities will pay a $300,000 penalty, Cambridge will pay $250,000, and KMS will pay $200,000, according to the SEC.