US SEC announces three actions charging firms for cybersecurity deficiencies

On August 30, 2021, the Securities and Exchange Commission (SEC) announced enforcement actions against three sets of broker-dealer and/or investment advisers for alleged failures in the entities' cybersecurity policies and procedures with respect to email account compromises and the exposure of customer information in violation of Regulation S-P, known as the Safeguards Rule. The Safeguards Rule requires broker-dealers, investment companies and registered investment advisers to maintain policies and procedures reasonably designed to "(1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer." See 17 C.F.R. § 248.30(a).

The SEC has been increasingly vocal about its concerns with how companies protect their data from cyber intrusions and how companies react upon learning of a data breach. Another recent example being the SEC's June 2021 issuance of voluntary information requests to a range of public companies and investment advisors potentially impacted by the highly publicized December 2020 SolarWinds cyberattack. The requests sought information regarding the impact of the attack and steps taken by the recipients in response, including whether any public disclosures were made. The requests also noted the potential for later enforcement action if a recipient did not respond to the voluntary request and it was later determined the recipient had not timely made the required public disclosure related to SolarWinds cyberattack impact.

This week's enforcement actions further evidence the SEC's growing concerns over cybersecurity and its use of the Safeguards Rule to articulate its views with respect to cybersecurity standards.

The following are the notable findings in each of the recent Orders.

Cetera Order

The SEC alleged the Cetera entities failed to implement reasonable policies and procedures to (1) safeguard information and (2) to review client communications regarding security incidents to avoid misleading statements based on information known to the firm at the time. On the first alleged failure, over a period of approximately 1.5 years, the Cetera entities collectively experienced compromises of 60 Cetera email accounts, resulting in exposure of customer personal information. At the time of compromise none of these 60 accounts had multi-factor authentication (MFA) enabled despite a policy change during this period requiring MFA "wherever possible." The latter compromises resulted from inconsistent deployment of MFA between employees and contractors domestically and abroad. On the second failure, the SEC alleged that in certain of its notification letters to impacted individuals in connection with the compromised email accounts, Cetera misled recipients as to the timing of the incident's discovery. The notification letters gave the impression the breach was discovered more recently than it actually happened by using the date of discovery of the individuals' personal information instead of the earlier date when Cetera first learned of the compromised email accounts. Penalty: US$300,000.

Cambridge Investment Research Order

The SEC alleged Cambridge failed to implement policies and procedures reasonably designed to safeguard customer information. Cambridge suffered an initial email compromise in 2018, after which Cambridge failed to adopt firm-wide enhanced security measures for email accounts until 2021, specifically for its independent representatives. Throughout this period, Cambridge's policies recommended, but did not require, independent representatives, including individuals whose accounts had been compromised, to implement enhanced security measures, such as MFA. Penalty: US$250,000.

KMS Financial Services Order

The SEC alleged that KMS first discovered compromised email accounts of advisors in November 2018, and although KMS required affected advisors to enable MFA, KMS failed to adopt written policies and procedures requiring additional firm-wide security measures (including MFA) for all KMS email users until May 2020. Two forensic firms engaged by KMS to investigate the incidents wrote reports including recommendations to expedite enablement of MFA for contractors. However, MFA was not implemented firm-wide until August 2020. The SEC alleged this resulted in the exposure of sensitive records and information of thousands of KMS customers throughout 2019, and the potential exposure of additional customer records and information until August 2020. As a result, the SEC alleged that KMS violated the Safeguards Rule by failing to adopt written policies and procedures reasonably designed to safeguard customer information. Penalty: US$200,000.

Our take

In each of the Orders, the SEC predominantly focused on the repeated deficient responses by the firms to their discovery of email compromises. All three Orders describe an initial email compromise, after which the firms should have been "on notice" of an email security issue and the need for improved security. In the SEC's view, none of the firms took sufficiently prompt or comprehensive action to address the issues, resulting in subsequent email compromises and exposure of additional personal information in violation of the Safeguards Rule. This focus on deficient and or delayed responses to known security problems aligns with the focus seen from state regulators in the event of a data security breach. Where there is a known vulnerability and no remediation or mitigating controls implemented, the regulatory response grows harsher.

Further, the focus on particular types of technology, such as MFA, evidences the increasing cybersecurity sophistication of regulators. The now common use of MFA has made it a frequent question from inquiring regulators when an organization suffers a data breach. As evidenced by these SEC enforcement actions, where the MFA security policies are not implemented quickly enough, do not match the organization's actual practice, or are not evenly enforced (and no other mitigating controls were in place), organizations face a higher risk of regulatory scrutiny.

Practical takeaways

• Timely implement and track implementation of security recommendations from third-party firms (i.e., a forensic firm or external cybersecurity assessor/advisor). If a similar incident occurs and the company has not implemented the recommended enhancements, regulators consider the company on notice but failing to mitigate.
• Ensure notification letters to impacted individuals are clear about dates of discovery, including the date of discovery of the unauthorized access to the email account versus the date when the firm discovers personal information in the accounts.
• Implement mandatory MFA or other equally mitigating controls for both employees and independent contractors before allowing access to corporate email or your network.
• Ensure prompt incident documentation for internal tracking purposes. Consult external counsel for appropriate information to include in such documentation.
• Where possible, do not store sensitive personal information of customers in email accounts, or if necessary, include appropriate safeguards to protect such data during transmission and at rest.