SEC Charges Eight Firms for Cybersecurity Shortcomings



The Security and Exchange Commission (SEC) has issued sanctions to firms that have failed to follow industry standard cybersecurity policies and incident response procedures.  According to the commission, the firms’ faulty cyber policies and procedures didn’t protect private client information after third parties fraudulently took over company email accounts.  Eight firms failed to have cybersecurity policies and procedures in place, which left them vulnerable to attacks in which company emails were taken over by outsiders, leading to thousands of clients personal information potentially being exposed, according to the Securities and Exchange Commission.  The firms were collectively fined $750,000 for their failed cyber policies and procedures.

The SEC sanctioned the firms in three separate actions, and all firms agreed to settle the charges. The sanctioned firms include a number of firms under Cetera, including Cetera Advisor Networks, Cetera Investment Services, Cetera Financial Specialists, Cetera Advisors and Cetera Investment Advisers. Another action sanctioned Cambridge Investment Research and Cambridge Investment Research Advisors, while the third detailed the allegations against KMS Financial Services.

Kristina Littman, the Chief of the cyber unit of the commission’s Enforcement Division, said in a statement that investment advisors and broker/dealers “must fulfill their obligations” when promising to safeguard what is supposed to be private client information.  “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks,” Littman said.  The Cetera firms will collectively pay $300,000, while Cambridge and KMS will pay $250,000 and $200,000, respectively.  These fines could have easily been avoided by having the appropriate controls in place to prevent this oversight.

While there is no single way to prevent being targeted, BW Cyber Services can help you develop a Quarterly Written Information Security Policy Attestation Oversight plan and comprehensive cyber compliance security program to prevent and respond to future attacks which affect your operations. We can assess the risks in your organization, review your response plans, conduct phishing campaigns and penetration testing, and we offer a variety of other services to meet your cybersecurity needs. For more information on how BW Cyber Services can assist you, please contact us at