Recent SEC Orders Signal Hard Stance on Protecting Investor Data from Cyber Attacks

In today’s ever-interconnected society, protecting the stability and security of cyber infrastructure and the personal information stored therein has never been of greater importance. Recognizing this need, the United States Securities and Exchange Commission (“SEC”) has taken marked steps to protect the security of investor records and information that broker-dealer firms possess.

In fact, the SEC has recently begun sanctioning the very victims of cyberattacks – investment firms that have fallen prey to such attacks – citing their deficient cybersecurity procedures as partly to blame for the unauthorized third-party access to investor’s private information. [1]

On August 30, 2021, the SEC released three orders sanctioning eight firms for their failures in protecting their customers’ personally identifiable information due to inadequate cybersecurity policies and procedures. These orders each proceeded as violations of Rule 30(a) of Regulation S-P, colloquially known as the “Safeguards Rule.” [2]

The Safeguards Rule requires that any broker-dealer or investment adviser registered with the SEC adopts “written policies and procedures reasonably designed to:

(1) insure the security and confidentiality of customer records and information;

(2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and

(3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.” [3]

In response to the orders, each firm settled with the SEC without admitting to nor denying the charges, paying a sum total of $750,000 in penalties. [2]

The first order was lodged against Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers, LLC (collectively “Cetera Entities”) for failing to adequately leverage the myriad tools they had available to mitigate cybersecurity risks, resulting in a violation of the Safeguards Rule. [3]

From November 2017 to June 2020, unauthorized third parties gained access to the emails of over 60 Cetera Entities personnel, exposing more than 4,000 Cetera Entities customers’ personally identifiable information. The SEC alleged that while Cetera had the ability to implement multi-factor authentication (“MFA”) on email accounts, none of the compromised emails had enabled that security feature. [3]

As a result, the SEC concluded that Cetera Entities violated the Safeguards Rule because their “policies and procedures to protect customer information and to prevent and respond to cybersecurity incidents were not reasonably designed” to adequately protect their customers’ PII. [3]

The second order alleged that Cambridge Investment Research, Inc., and Cambridge Investment Research Advisors, Inc., willfully violated the Safeguards Act in a similar manner by failing to activate MFA on the cloud-based email accounts of their registered representatives. [4] As a result of this failure, more than 121 Cambridge representatives’ cloud-based email accounts were breached by third parties, exposing the personally identifiable information of more than 2,000 Cambridge customers. [4]

Finally, the SEC’s third order alleging a violation of the Safeguards Rule was entered against KMS Financial Services, Inc., again for failing to properly safeguard the cloud-based email accounts of the company’s registered financial advisers. [5] The result of this failure was exposure of sensitive personally identifiable information of nearly 5,000 KMS customers. In addition, the SEC found that even after KMS became aware of the unauthorized third-party breach in November 2018, it failed to adopt firm-wide increased security measures relating to email accounts for more than 20 months. [5]

The release of these three orders clearly signals the SEC’s desire to protect investor data held by broker-dealer firms across the United States, essentially forcing the adoption of increased security measures across the industry. Interestingly, each of the three orders explicitly notes that the email breaches in question “do not appear” to have resulted in any realized financial damages to the customers via their compromised accounts.

Given this information, these SEC actions appear almost cautionary in nature, attempting to serve as a warning to all broker-dealer firms as they design their cybersecurity policies. While these policies may impose costs on investment firms, the interests of investors are well-served by this stance on protecting personal information.

Sources: [1] https://www.reuters.com/legal/legalindustry/cyber-attack-victims-face-one-two-punch-sec-ramps-up-enforcement-actions-2021-10-12/ [2] https://www.sec.gov/news/press-release/2021-169 [3] https://www.sec.gov/litigation/admin/2021/34-92800.pdf [4] https://www.sec.gov/litigation/admin/2021/34-92806.pdf [5] https://www.sec.gov/litigation/admin/2021/34-92807.pdf