On August 30, 2021, the Securities and Exchange Commission (SEC) sanctioned eight firms in three actions for cybersecurity failures in their policies and procedures that exposed the personal information of thousands of customers at each firm. These firms included: Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera Entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS). All were registered with the SEC as broker dealers, investment advisory firms, or both. These failures violated Regulation S-P, also known as the Safeguards Rule.
This action occurred in the midst of repeated indications from the SEC that cybersecurity is a top priority for them. On September 14, 2021, SEC Chair Gary Gensler told a Senate Committee that:
Today’s investors are looking for consistent, comparable, and decision-useful disclosures around climate risk, human capital, and cybersecurity. I’ve asked staff to develop proposals for the Commission’s consideration on these potential disclosures. These proposals will be informed by economic analysis and will be put out to public comment, so that we can have robust public discussion as to what information matters most to investors in these areas.
Companies and investors alike would benefit from clear rules of the road. I believe the SEC should step in when there’s this level of demand for information relevant to investors’ investment decisions.
Alleged details of the incidents are contained in the three orders:
In the SEC’s press release, Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit, stated:
Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information. It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.
The Commission’s orders find that each firm violated Rule 30(a) of Regulation S-P. The orders also find that Cetera Advisors LLC and Cetera Investment Advisers LLC violated Section 206(4) of the Advisers Act and Rule 206(4)-7 in connection with their breach notifications to clients. Without admitting or denying the findings, each firm has agreed to cease and desist from future violations of these provisions, to be censured, and to pay a penalty. The Cetera Entities will pay a $300,000 penalty, Cambridge will pay a $250,000 penalty, and KMS will pay a $200,000 penalty.
As the SEC continues to prioritize cybersecurity and issue enforcement actions, regulated entities should be taking the time and effort to assess the maturity of their cybersecurity governance and their compliance with the requirements of Regulation S-P. This means: