Demonstrating its continued focus on cybersecurity enforcement, the Securities and Exchange Commission (SEC) announced three new actions on Aug. 30 charging eight firms with maintaining deficient cybersecurity policies and procedures, resulting in the exposure of personally identifiable information (PII) of thousands of clients and customers. The actions, following other recent SEC proceedings against real estate services provider First American Financial Corp. (see our prior alert) and publishing and services company Pearson plc, indicate that cybersecurity controls and disclosure controls and procedures will continue to be top priorities for the SEC.
The Three New Actions
On Aug. 30, the SEC announced it had imposed hundreds of thousands of dollars in penalties against eight broker dealers and registered investment advisers in three different actions. The SEC charged that the firms Cetera and its related entities (Cetera), Cambridge and its related entities (Cambridge), and KMS Financial Services (KMS) violated the Safeguards Rule and, in the case of Cetera, the Advisers Act. The Safeguards Rule requires registrants to adopt policies and procedures reasonably designed to protect customer records and information. The Advisers Act mandates policies and procedures requiring the review of communications to advisory clients, to prevent misleading language, for example. The SEC charged that deficient policies and procedures under these rules resulted in email account takeovers that exposed PII of thousands of customers and clients.
In the case of Cetera, employees, independent contractor representatives and offshore contractors used cloud-based email services that contained customers’ PII. Following the breach of 23 personnel email accounts in early 2018, Cetera turned on multi-factor authentication (MFA) for its employees’ and most of its independent contractors’ email accounts. The email accounts of 30 contractors that did not have MFA were subsequently taken over, leading to the exposure of the PII of 4,388 customers. The SEC alleged that Cetera violated the Safeguards Rule because its MFA program was not reasonably designed, as it failed to apply MFA to all contractors. Additionally, in its breach notification, Cetera misstated when it had learned of the breach. The SEC charged that these actions violated Section 206(4) of the Advisers Act as the breach notifications included “misleading language.” Cetera will pay a $300,000 penalty for these alleged violations.
Cambridge was charged with violating the Safeguards Rule because it similarly “failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts.” According to the SEC, Cambridge recommended, but did not require, enhanced security measures for its independent contractors, including MFA for cloud-based email accounts. Between January 2018 and July 2021, email accounts of 121 independent contractors were taken over by unauthorized third parties, who then forwarded PII outside of Cambridge. As a result, 2,177 customers and clients were exposed. Because Cambridge discovered the takeover in January 2018 but failed to adopt enhanced security measures until 2021, the SEC charged that Cambridge violated the Safeguards Rule by failing to adopt policies and procedures sufficient to protect the type of PII that was ultimately exposed. As a result, Cambridge will pay a $250,000 fine.
Intruders similarly accessed the email accounts of 15 independent contractors or assistants employed by KMS between September 2018 and August 2020. From these accounts, they forwarded emails with PII outside the organization, emailed customers asking them to wire funds to a bank account, and sent malicious links. As a result, the PII of 4,900 customers was exposed. KMS implemented additional security measures for all email users, but not until 21 months after the breach was first discovered. Charged with violating the Safeguards Rule, KMS will pay a $200,000 penalty.
The SEC’s actions against these three financial institutions, along with its actions against First American in June and Pearson plc last month, are clear demonstrations that the SEC is forcefully addressing cybersecurity and disclosure controls and procedures. As chief of the SEC Enforcement Division’s Cyber Unit, Kristina Littman, explained, “Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information. It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
These five enforcement actions together highlight the need for companies to evaluate their disclosure controls to ensure adequate coordination among information technology professionals, investor relations advisers, and legal and senior operating management, and ultimately that such controls are carefully overseen by the board.