SEC Doubles Down on Safeguards Rule Enforcement

BanksBreach NotificationBreach preventionBreach responseBroker DealersComplianceCybersecuritySEC
Written By Jason Shoup

The Securities and Exchange Commission issued sanctions against three financial services companies last week. The sanctions came in response to a series of email-takeover attacks in which Personally Identifiable Information (PII) was exposed.

In each case, the SEC found that the firms failed to implement proper cybersecurity measures against breaches. Each firm was found responsible for compromising the PII of less than 5,000 consumers.

According to the SEC, all three firms violated the Safeguards Rule, which is designed to protect confidential PII. One of the firms, Cetera Entities, used misleading language in its breach notification to clients, violating Section 206(4) of the Advisers Act and Rule 206(4)-7.

The firms have all agreed to settle charges according to reporting from Security Magazine, and are all listed as either broker-dealers, investment advisory firms, or both. Cetera Financial Group will be required to pay a $300,000 fine. The other two firms, Cambridge Investment Research Inc.; and KMS Financial Services Inc. will pay $250,000 and $200,000 in fines respectively.

This is the first case of its kind since 2018, when the SEC leveraged penalties against Voya Financial Advisors for failing to implement safeguards against identity theft. These recent penalties indicate an uptick in enforcement action by the SEC, according to Sounil Yu, Chief Information Security Officer at JupiterOne, which provides cybersecurity and compliance solutions: “Companies should expect greater regulatory scrutiny from the SEC (and other regulatory bodies, such as the NYSDFS) and should be proactive in developing a robust cybersecurity risk management program to mitigate the threat of substantial monetary penalties from regulators.”

Notably, at least one firm–Cetera Financial Group–was found responsible by the SEC for failing to follow its own cybersecurity policy. In a statement to the Wall Street Journal, Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit, said: “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

Jason Shoup
Previous

How Cybersecurity Frameworks Can Protect Your Organization (Even in the Event of a Breach)
Next

CCPA Enforcement is Picking Up. Are you Ready?