The U.S. Securities and Exchange Commission (SEC) decided out sanctions for cybersecurity breaches against eight firms. According to SEC, the companies have lax rules for this. Therefore, hackers managed to access and steal the data.
SEC named the Cetera Entities, Cambridge companies and KMS Financial Services for the most lackluster cybersecurity policies which led to email account takeovers. Thus, thousands of people’s personal information was compromised.
The companies work as broker dealers, investment advisory, or both. According to SEC, the Cetera and Cambridge companies will each pay a $300,000 penalty, while KMS will pay $200,000.
The SEC has found that Cetera leaked more than 4,300 people’s personal information over the last few years. And this happened after hackers managed to access 60 cloud-based email accounts. But the SEC did not list which types of personal information were leaked in each case.
According to SEC, the companies did not protect the accounts ”in a manner consistent with the Cetera Entities’ policies.” Moreover, they sent breach notifications suggesting that they issued them sooner than they actually did.
Also, fifteen KMS financial advisers had their accounts taken over. The breach exposed a great deal of customer information, so it affected 5,000 people. KMS didn’t make any changes to its cybersecurity policies until May 2020. Still, they weren’t implemented until August 2020.
They violated the Safeguards Rule
SEC mentioned that all the companies violated the Safeguards Rule that protects customer information. Also, they said that Cetera violated other rules related to the notification letters.
Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit, said advisers and dealers need to fulfill their obligations. And this is even more important concerning the protection of customer information. She mentioned that security measures are in vain if they companies do not implement them or do it just partially.