Recent SEC Orders Signal Hard Stance on Protecting Investor Data from Cyber Attacks

Savage Villoch Law, PLLC

In today’s ever-interconnected society, protecting the stability and security of cyber infrastructure and the personal information stored therein has never been of greater importance. Recognizing this need, the United States Securities and Exchange Commission (“SEC”) has taken marked steps to protect the security of investor records and information that broker-dealer firms possess.

In fact, the SEC has recently begun sanctioning the very victims of cyberattacks – investment firms that have fallen prey to such attacks – citing their deficient cybersecurity procedures as partly to blame for the unauthorized third-party access to investor’s private information. [1]

On August 30, 2021, the SEC released three orders sanctioning eight firms for their failures in protecting their customers’ personally identifiable information due to inadequate cybersecurity policies and procedures. These orders each proceeded as violations of Rule 30(a) of Regulation S-P, colloquially known as the “Safeguards Rule.” [2]

The Safeguards Rule requires that any broker-dealer or investment adviser registered with the SEC adopts “written policies and procedures reasonably designed to:

(1) insure the security and confidentiality of customer records and information;

(2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and

(3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.” [3]

In response to the orders, each firm settled with the SEC without admitting to nor denying the charges, paying a sum total of $750,000 in penalties. [2]

The first order was lodged against Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers, LLC (collectively “Cetera Entities”) for failing to adequately leverage the myriad tools they had available to mitigate cybersecurity risks, resulting in a violation of the Safeguards Rule. [3]

From November 2017 to June 2020, unauthorized third parties gained access to the emails of over 60 Cetera Entities personnel, exposing more than 4,000 Cetera Entities customers’ personally identifiable information. The SEC alleged that while Cetera had the ability to implement multi-factor authentication (“MFA”) on email accounts, none of the compromised emails had enabled that security feature. [3]

As a result, the SEC concluded that Cetera Entities violated the Safeguards Rule because their “policies and procedures to protect customer information and to prevent and respond to cybersecurity incidents were not reasonably designed” to adequately protect their customers’ PII. [3]

The second order alleged that Cambridge Investment Research, Inc., and Cambridge Investment Research Advisors, Inc., willfully violated the Safeguards Act in a similar manner by failing to activate MFA on the cloud-based email accounts of their registered representatives. [4] As a result of this failure, more than 121 Cambridge representatives’ cloud-based email accounts were breached by third parties, exposing the personally identifiable information of more than 2,000 Cambridge customers. [4]

Finally, the SEC’s third order alleging a violation of the Safeguards Rule was entered against KMS Financial Services, Inc., again for failing to properly safeguard the cloud-based email accounts of the company’s registered financial advisers. [5] The result of this failure was exposure of sensitive personally identifiable information of nearly 5,000 KMS customers. In addition, the SEC found that even after KMS became aware of the unauthorized third-party breach in November 2018, it failed to adopt firm-wide increased security measures relating to email accounts for more than 20 months. [5]

The release of these three orders clearly signals the SEC’s desire to protect investor data held by broker-dealer firms across the United States, essentially forcing the adoption of increased security measures across the industry. Interestingly, each of the three orders explicitly notes that the email breaches in question “do not appear” to have resulted in any realized financial damages to the customers via their compromised accounts.

Given this information, these SEC actions appear almost cautionary in nature, attempting to serve as a warning to all broker-dealer firms as they design their cybersecurity policies. While these policies may impose costs on investment firms, the interests of investors are well-served by this stance on protecting personal information.

Sources: [1] https://www.reuters.com/legal/legalindustry/cyber-attack-victims-face-one-two-punch-sec-ramps-up-enforcement-actions-2021-10-12/ [2] https://www.sec.gov/news/press-release/2021-169 [3] https://www.sec.gov/litigation/admin/2021/34-92800.pdf [4] https://www.sec.gov/litigation/admin/2021/34-92806.pdf [5] https://www.sec.gov/litigation/admin/2021/34-92807.pdf

Client Reviews

I am deeply grateful for the superb representation I received from Robert (Bert) Savage, at Savage Villoch Law representing me in my complex investment loss claim. Bert and the legal team at Savage Villoch Law were consistent and persistent from the start, understanding and pursuing my case and...

L. Nathan

Alfred Villoch is a very versatile individual. He's helped me in several parts of the law and was able to leverage his experience multiple times whether with corporate law or insurance. He takes the extra steps needed to not only ensure an iron clad proposal is offered but sees the value as a...

Simon

Over the years I have come to rely on the expertise of Robert "Bert" Savage in the most important matters concerning my business and my non profit organization. His knowledge and guidance has allowed me to take a more successful path than I would've chosen without him. He takes a genuine interest in...

Bob

If ever I have a legal question impacting my affairs I know I can turn to Alfred as a dependable resource. Accessing his high levels of varied expertise ensures I make decisions that shall contribute to favorable outcomes. He's extremely responsive and thoughtful in his advice, and is always...

Joy

Bert Savage has been a great help to myself and my company. He has demonstrated that he is very knowledgeable and effective, and seems to achieve a lot with the hours he bills. We are quite satisfied with his services and intend to continue our relationship with him. Highly recommended for any of...

William

Contact Us

  1. 1 Free Case Study
  2. 2 Over 40 Years of Combined Experience
  3. 3 No Fees Unless You Win

Fill out the contact form or call us at 813-200-0013 to schedule your free consultation.

Leave Us a Message