SEC Sanctions Several Companies over Email Account Hacking

Earlier this week the SEC (Securities and Exchange Commission) in the USA penalized various companies due to cyber security breakdowns. Hackers took advantage of the mishap to gain unauthorized access to email accounts and lots of customer’s data was exposed. A statement from the SEC read as follows:

“According to SEC, it has penalized eight companies in three actions for negligence of their cyber protection guidelines and procedures that stimulated email account hacks exposing personal data of numerous clients and customers in each firm.” 

The penalized companies are Investment Services, Advisor Networks, Financial Specialists, Investment Advisers, and Advisors, all under the Cetera group. Investment Research Advisors and Investment Research from Cambridge Investment were affected, as well as KMS, a registered financial services provider based in Seattle. 

SEC insisted Cetera was responsible for exposing the personal data of more than 4,300 clients and customers between 2017 November and 2020 June. During that timeframe, unapproved third parties gained unauthorized access into over 60 email accounts hosted in the cloud belonging to Cetera Employees. A spokesperson representing Cetera did not respond to the ruling. 

The Securities and Exchange Commission regretted that breach alerts some of the Cetera companies circulated were deceptive in terms of the breach disclosure. According to SEC, Cetera should have provided clear information and guidelines on the attacks in the breach alerts they circulated to affected individuals. 

SEC penalized Cambridge Investment Research because more than 121 of their email accounts were hacked between 2018 January and 2021 July. Following the attack, more than 2,100 clients and customer’s information was exposed to cybercriminals. SEC reiterated that Cambridge Investment Research discovered the first breach in 2018 January but took no action to boost email account security until 2021. 

A spokesperson representing Cambridge said the company “has always maintained a robust data security group and processes to guarantee protection of all clients’ accounts.

KMS financial services were penalized because several email accounts belonging to their 15 financial advisers and their assistants were compromised between 2018 September and 2019 December. Following the attack, data belonging to almost 5,000 customers and clients were exposed. The Securities and Exchange Commission also said that the organization did not strengthen its security tactics until 2020 August. When asked to comment about the ruling, a KMS Financial Services spokesperson did not respond. 

In its ruling, the Securities and Exchange Commission said each organization breached laid down rules on protecting confidential customer data. Further, Cetera breached a regulation regarding contravention of notifications. SEC said:

“Without acknowledging or opposing the SEC’s discovery, each company agreed to halt and refrain from future breaches of the owed provisions, to be reprimanded and reimburse a penalty.”

The total amount each company will pay is as follows. KMS $200,000, Cetera $300,000, and $250,000 for Cambridge. According to Kristina Littman, SEC’s master of the cyber unit administration division:

“Investment guides and agents must realize their responsibilities in terms of safeguarding customer data. Devising a procedure requiring advanced security measures would not be sufficient if the measures are not applied or are implemented partially, especially amidst familiar attacks.”

In the past, various organizations have struggled with possible exposure of customer’s confidential data. One such organization is Morgan Stanley. When it was attacked, the company was forced to compensate existing and previous wealth management customers with a free two-year credit monitoring service subscription. 

Previous Cases of Email Account Hacking that Caught the Attention of SEC

In 2015 the US was investigating cybercriminals believed to have broken into company email accounts and acquired unauthorized access to financial secrets. Then, the Securities and Exchange Commission requested data breach details from nearly eight companies. 

A former SEC master of internet enforcement, John Reed Stark said hackers could leverage compromised data to facilitate an advanced model of insider trading. John told Reuters, a news agency that asking companies to reveal details about data violations was crucial. 

He reiterated that SEC had sought information to understand the tactics hackers were using. Often, hackers use phishing emails to target employees. These emails direct them to illegitimate websites that steal confidential information such as passwords.