The US financial market regulator, the Securities and Exchange Commission (SEC), has imposed sanctions on eight broker-dealer and financial advisory companies for lapses in their cybersecurity policies and measures. Though eight entities were named, only three groups are controlling them.

The names of all these entities are Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC and Cetera Investment Advisers LLC (collectively, the Cetera Entities), Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge) and KMS Financial Services Inc. (KMS).

Announced on Monday, failures in cybersecurity in the companies resulted in the takeover of email accounts that exposed the personal information of thousands of customers and clients of each firm.

Were the Lapses Ignored?

According to the SEC, cloud-based email accounts of more than 60 Cetera staff were compromised between November 2017 and June 2020 as they were not secured as the company policies require. Breaches of over 121 Cambridge representatives happened between January 2018 and July 2021, and breaches at KMS occurred between September 2018 and December 2019.

The violation of Cetera emails exposed at least 4,388 of its customers and clients, while for Cambridge and KMS the exposed emails were numbered at 2,177 and 4,900 respectively.

The market watchdog has brought charges against these entities for multiple regulatory violations and penalized them: Cetera Entities with $300,000, Cambridge with $250,000 and KMS with $200,000. Though the companies agreed to cease and desist, they neither agreed nor denied the allegations.

“Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information,” Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit, said. “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”