Cybersecurity Compliance Is More Than a Policy, Part 2: SEC Cyber Enforcement Actions Remind Advisers and Brokers That Policies Must Be Followed With Action
As we discussed yesterday, this post provides more background about the federal government’s recently announced cybersecurity-related enforcement actions, which arise out of what appear to be routine Securities and Exchange Commission (SEC) examinations of registered investment advisers and broker-dealers. As we noted previously, the SEC enforcement actions serve as a reminder that regulators at every level are focused on the measures that companies take to prevent, identify, and address cyber- and information security threats. Additionally, regulators are closely reading the language of any notification sent to impacted individuals for accuracy.
The three orders relate to eight firms: Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, Cetera Investment Advisers LLC (collectively, the Cetera Entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS). In settling the actions without admitting or denying the findings (except as to jurisdiction and the subject matter of the proceedings), the eight firms collectively paid penalties totaling $750,000.
All of the settled orders assert violations of Rule 30(a) of Regulation S-P, known as the Safeguards Rule, for failing to properly protect customer information. Specifically, the SEC alleges that the firms’ failure to adopt and follow adequate written cybersecurity policies and procedures led to email account takeovers, primarily of the cloud-based email accounts of independent contractors, exposing personal information for thousands of customers and clients.
In addition, the order against the Cetera Entities asserted violations of Section 206(4) of the Advisers Act and Rule 206(4)-7 for failing to properly notify clients in connection with a security breach. Although the firms had identified the breach and properly notified most of those impacted, the SEC took issue with the use of a template letter notification for approximately 220 customers whom the firms notified several months later without updating the time when the breach was identified.
Safeguards Rule Violations
The Safeguards Rule requires every broker-dealer and investment advisor registered with the Commission to adopt written policies and procedures that are reasonably designed to: (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. In each of the orders, the SEC criticized the companies’ failures to tailor the security tools or procedures already in place to meet the needs of the businesses.
For example, the Cetera Entities had a written policy requiring multi-factor authentication (MFA) “whenever possible” but, according to the SEC, failed to enforce it. The SEC asserts this enforcement failure resulted in the takeover by unauthorized third parties of over 60 personnel email accounts and the exposure of over 4,388 customers’ personal information between 2017 and 2020. Following an initial attack in late 2017, the Cetera Entities had activated MFA for its employees’ cloud-based accounts and began a process of activating MFA for contractor representatives’ email accounts. According to the SEC, there were still over 1,500 email accounts of contractor representatives and their employees without MFA in December 2018. Nor did the company implement MFA for any offshore contractor email accounts until the end of 2019. The SEC found that these actions were a willful violation of the Safeguards Rule.
The other two orders detailed similar “willful” violations of the Safeguards Rule. Cambridge violated the rule for failing to implement a policy that mandated MFA for all employees and independent representatives, even though Cambridge’s policies appear to have suggested MFA implementation. Specifically, the SEC asserts that Cambridge provided its independent representatives with cybersecurity guidance, including policies and procedures, but each representative was responsible for implementing the guidance. Following several instances of email account takeovers from 2018 to 2021, Cambridge suspended or reset the affected accounts, but did not require any other enhanced security measures and did not enforce the MFA requirement until 2021. Similarly, KMS discovered compromised email accounts in November 2018. While KMS reset the affected emails and enabled MFA, the SEC detailed a Safeguards Rule violation because KMS did not adopt written policies and procedures requiring such security measures until May 2020 and did not implement those changes firmwide until August 2020.
The SEC also found the Cetera Entities violated Section 206(4) of the Advisers Act and Rule 206(4)-7 by failing to adopt and implement reasonably designed policies and procedures regarding review of communications to advisory clients, which resulted in misleading template language. As noted above, the SEC took issue with notification language that stated identification of the breach(es) occurred two months prior and referred to the breach(es) as “recent.” Identification had occurred six months prior, and the date set forth in the notice was not the date of the breach(es), but when the firm completed its review of the compromised accounts. According to the SEC, the customers therefore would not know to look for any potential misuse of personal information beyond the two months indicated, defeating the purpose of the notification.
Cybersecurity continues to be an area of focus for all regulators. These orders serve to remind firms to review and update their policies and procedures relating to information security, consider whether technology enhancements are required (and swiftly implement them), and ensure that individuals are complying. For a discussion of specific steps firms could consider taking to ensure cybersecurity compliance, please refer back to our prior post or contact the authors of this post.
© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.