SEC Fines Broker-Dealer and Advisory Firms for Cybersecurity Lapses
- Three firms are facing a combined monetary penalty of $750,000.

The US financial market regulator, the Securities and Exchange Exchange An exchange is known as a marketplace that supports the trading of derivatives, commodities, securities, and other financial instruments.Generally, an exchange is accessible through a digital platform or sometimes at a tangible address where investors organize to perform trading. Among the chief responsibilities of an exchange would be to uphold honest and fair-trading practices. These are instrumental in making sure that the distribution of supported security rates on that exchange are effectiv An exchange is known as a marketplace that supports the trading of derivatives, commodities, securities, and other financial instruments.Generally, an exchange is accessible through a digital platform or sometimes at a tangible address where investors organize to perform trading. Among the chief responsibilities of an exchange would be to uphold honest and fair-trading practices. These are instrumental in making sure that the distribution of supported security rates on that exchange are effectiv Read this Term Commission (SEC), has imposed sanctions on eight broker-dealer and financial advisory companies for lapses in their cybersecurity policies and measures. Though eight entities were named, only three groups are controlling them.
The names of all these entities are Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC and Cetera Investment Advisers LLC (collectively, the Cetera Entities), Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge) and KMS Financial Services Inc. (KMS).
Announced on Monday, failures in cybersecurity in the companies resulted in the takeover of email accounts that exposed the personal information of thousands of customers and clients of each firm.
Were the Lapses Ignored?
According to the SEC, Cloud Cloud The cloud or cloud computing helps provides data and applications that can be accessed from nearly any location in the world so long as a stable Internet connection exists. Categorized into three cloud services, cloud computing is segmented into Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). In terms of trading, the versatility of the cloud service allows retail traders the ability to test out new trading strategies, backtest pre-existing conc The cloud or cloud computing helps provides data and applications that can be accessed from nearly any location in the world so long as a stable Internet connection exists. Categorized into three cloud services, cloud computing is segmented into Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). In terms of trading, the versatility of the cloud service allows retail traders the ability to test out new trading strategies, backtest pre-existing conc Read this Term-based email accounts of more than 60 Cetera staff were compromised between November 2017 and June 2020 as they were not secured as the company policies require. Breaches of over 121 Cambridge representatives happened between January 2018 and July 2021, and breaches at KMS occurred between September 2018 and December 2019.
The violation of Cetera emails exposed at least 4,388 of its customers and clients, while for Cambridge and KMS the exposed emails were numbered at 2,177 and 4,900 respectively.
The market watchdog has brought charges against these entities for multiple regulatory violations and penalized them: Cetera Entities with $300,000, Cambridge with $250,000 and KMS with $200,000. Though the companies agreed to cease and desist, they neither agreed nor denied the allegations.
“Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information,” Kristina Littman, Chief of the SEC Enforcement Division's Cyber Unit, said. “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
The US financial market regulator, the Securities and Exchange Exchange An exchange is known as a marketplace that supports the trading of derivatives, commodities, securities, and other financial instruments.Generally, an exchange is accessible through a digital platform or sometimes at a tangible address where investors organize to perform trading. Among the chief responsibilities of an exchange would be to uphold honest and fair-trading practices. These are instrumental in making sure that the distribution of supported security rates on that exchange are effectiv An exchange is known as a marketplace that supports the trading of derivatives, commodities, securities, and other financial instruments.Generally, an exchange is accessible through a digital platform or sometimes at a tangible address where investors organize to perform trading. Among the chief responsibilities of an exchange would be to uphold honest and fair-trading practices. These are instrumental in making sure that the distribution of supported security rates on that exchange are effectiv Read this Term Commission (SEC), has imposed sanctions on eight broker-dealer and financial advisory companies for lapses in their cybersecurity policies and measures. Though eight entities were named, only three groups are controlling them.
The names of all these entities are Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC and Cetera Investment Advisers LLC (collectively, the Cetera Entities), Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge) and KMS Financial Services Inc. (KMS).
Announced on Monday, failures in cybersecurity in the companies resulted in the takeover of email accounts that exposed the personal information of thousands of customers and clients of each firm.
Were the Lapses Ignored?
According to the SEC, Cloud Cloud The cloud or cloud computing helps provides data and applications that can be accessed from nearly any location in the world so long as a stable Internet connection exists. Categorized into three cloud services, cloud computing is segmented into Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). In terms of trading, the versatility of the cloud service allows retail traders the ability to test out new trading strategies, backtest pre-existing conc The cloud or cloud computing helps provides data and applications that can be accessed from nearly any location in the world so long as a stable Internet connection exists. Categorized into three cloud services, cloud computing is segmented into Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). In terms of trading, the versatility of the cloud service allows retail traders the ability to test out new trading strategies, backtest pre-existing conc Read this Term-based email accounts of more than 60 Cetera staff were compromised between November 2017 and June 2020 as they were not secured as the company policies require. Breaches of over 121 Cambridge representatives happened between January 2018 and July 2021, and breaches at KMS occurred between September 2018 and December 2019.
The violation of Cetera emails exposed at least 4,388 of its customers and clients, while for Cambridge and KMS the exposed emails were numbered at 2,177 and 4,900 respectively.
The market watchdog has brought charges against these entities for multiple regulatory violations and penalized them: Cetera Entities with $300,000, Cambridge with $250,000 and KMS with $200,000. Though the companies agreed to cease and desist, they neither agreed nor denied the allegations.
“Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information,” Kristina Littman, Chief of the SEC Enforcement Division's Cyber Unit, said. “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”