The cases underscore how cybersecurity is now a major challenge for an industry overseeing billions of dollars of HNW clients' wealth. Arguably, the position has turned more acute with the advent of working-from-home arrangements brought on by the pandemic.

The Securities and Exchange Commission has taken action against eight investment firms for cybersecurity failings that exposed thousands of clients’ personal information.

The regulator sanctioned the firms in three actions.

The businesses, which have agreed to settle the charges, are: Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisors LLC (collectively, the Cetera Entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS). All were Commission-registered as broker dealers, investment advisory firms, or both.

Without admitting or denying the SEC's findings, each firm agreed to cease and desist from future violations of the charged provisions, to be censured and to pay a penalty. The Cetera Entities will pay a $300,000 penalty, Cambridge will pay a $250,000 penalty, and KMS will pay a $200,000 penalty.

The case, one of the most prominent SEC actions of its kind in recent years, underscores how cybersecurity is a major wealth management issue, aggravated arguably by so many advisors now working from home amidst the COVID-19 pandemic. As an indication of what is at risk, a study by P&S insurance, issued last November, said that insurance against cybersecurity breaches is expected to hit $70.7 billion by 2030, equating to a 26.3 per cent compound annual growth rate over 10 years.

SEC orders
According to the SEC's order against the Cetera entities, between November 2017 and June 2020, cloud-based email accounts of more than 60 Cetera Entities' personnel were taken over by unauthorized third parties, causing the exposure of personally identifying information (PII) of at least 4,388 customers and clients. None of the accounts which were taken over were protected in a manner consistent with the Cetera entities' policies, the regulator said in a statement yesterday.

The SEC's order also finds that Cetera Advisors LLC and Cetera Investment Advisors LLC sent breach notifications to the firms' clients that included misleading language suggesting that the notifications were issued much sooner than they actually were after the incidents were discovered.

In the SEC’s order against Cambridge, between January 2018 and July 2021, cloud-based email accounts of more than 121 Cambridge representatives were taken over by unauthorized third parties, resulting in the PII exposure of at least 2,177 Cambridge customers and clients. The SEC's order finds that although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021, resulting in the exposure and potential exposure of additional customer and client records and information.

According to the SEC's order against KMS, between September 2018 and December 2019, cloud-based email accounts of 15 KMS financial advisors or their assistants were taken over by unauthorized third parties, resulting in the PII exposure of about 4,900 KMS customers and clients. The SEC's order further finds that KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020, and did not fully implement those additional security measures firm-wide until August 2020, placing additional customer and client records and information at risk.

In all of the firms’ cases, the SEC said they broke Rule 30(a) of Regulation S-P, also known as the “Safeguards Rule” that is designed to protect confidential customer information. 

The SEC's order against the Cetera Entities also finds that Cetera Advisors LLC and Cetera Investment Advisors LLC violated Section 206(4) of the Advisers Act and Rule 206(4)-7 in connection with their breach notifications to clients.