Last week we wrote about the Securities and Exchange Commission's (SEC) emphasis on cybersecurity underlined by several recent enforcement actions and initiatives. The SEC maintained its emphasis this week, announcing the settlement of three more enforcement actions against eight firms for various failures to adopt adequate cybersecurity policies and procedures.

The eight defendants were registered broker-dealers, investment advisers, or both. In all three settlements, the SEC found violations of the Safeguards Rule, which requires registered broker-dealers and investment advisers to adopt written policies and procedures for securing customer data. In one of the settlements, the SEC found that two defendants also violated the Investment Advisers Act and its implementing rules by sending misleading breach notifications to affected individuals.

This week's trio of settlements, announced on August 30, 2021, highlights several important points:

  • SEC's Close Reading of Breach Disclosures: One of this week's settlements echoes the SEC's recent settlement with Pearson plc, which we covered in our prior post mentioned above. In both this week's settlement and Pearson, the SEC carefully scrutinized defendants' statements about data breaches and found them to be misleading in specific ways.

    Some of the language the SEC criticized in both cases is commonly found in data breach notifications—for example, references to a "potential exposure" even though a data breach has been confirmed, or to a breach being "recent" when it occurred months prior.
  • Multifactor Authentication for Email Accounts: While there is no explicit requirement in the securities laws that broker-dealers or investment advisors implement multifactor authentication (MFA), the SEC stakes out a clear position in all three of its settlements. In each, the SEC found that defendants' failure to implement MFA for email accounts that handled sensitive customer data led to violations of the Safeguards Rule, which requires covered firms to protect customer data.

    The SEC found these violations even though the email account takeovers did not result in any unauthorized trades or transfers in customers' accounts. In this respect, the three settlements echo an April 2021 consent order between the New York Department of Financial Services (DFS) and National Securities Corporation. DFS found that National Securities Corporation violated state law by failing to secure its email accounts with MFA.
  • Spotlight on the Cloud: All three settlements explicitly focused on failures to secure cloud-based email accounts. While it is not clear why the SEC chose to specifically highlight cloud-based email, one explanation may be the ready availability of security features with such systems.

    Many cloud-based email systems come with built-in MFA solutions and integrations to third-party MFA software, as well as numerous other security features. The SEC may take the position that failing to use readily available security features is actionable. The aforementioned DFS settlement with National Securities Corporation also involved cloud-based email and other cloud applications.
  • Oversight of Independent Representatives: Each of the three settlements highlights failures to secure email accounts used by independent contractor representatives. In all three settlements, the SEC found that defendants failed to apply the same security standards to contractors' accounts as were applied to employees' accounts.

    In some cases, contractors' accounts were managed by branch offices or by the contractors themselves, and defendants failed to require adoption of MFA or other measures to secure the accounts. In yet another parallel to the National Securities Corporation case, DFS found that after the company migrated its employees to a new email system with MFA enabled, its independent contractors continued to use the previous system without MFA for some time.

    Even where independent representatives have significant leeway to manage their customer business, broker-dealers and investment advisors should promulgate and enforce minimum security requirements for anyone—employee or contractor—accessing customer data.
  • Importance of Incident Response Plans: In one of the settlements, the SEC found that a broker-dealer and investment adviser violated the Safeguards Rule by failing to maintain an adequate incident response plan (IRP). The SEC highlighted that the firm's plan did not specify timelines for various response activities.

Advisers Act Section 206(4) and Rule 206(4)-7

Section 206(4) of the Investment Advisers Act (commonly known as the "Advisers Act") makes it unlawful for investment advisers "to engage in any act, practice, or course of business which is fraudulent, deceptive, or manipulative." Adviser Act Rule 206(4)-7 requires investment advisers to "[a]dopt and implement written policies and procedures reasonably designed to prevent violation" of the Advisers Act and the SEC rules thereunder.

As discussed below, the SEC's settlement with the Cetera Entities found that two defendants violated these provisions because their policies and procedures for reviewing breach notifications failed to correct misleading language in notification letters after several email account compromises.

The Safeguards Rule

Rule 30(a) of Regulation S-P, known as the "Safeguards Rule," requires registered broker-dealers and investment advisers to "adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information." The Safeguards Rule requires that such written policies and procedures be reasonably designed to:

  • Insure the security and confidentiality of customer records and information;
  • Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
  • Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

The SEC found that all defendants in each of the three settlements violated the Safeguards Rule by failing to adopt written policies and procedures for securing cloud-based email accounts that contained customers' personally identifying information (PII). The settlement orders focused on the defendants' failure to require and implement MFA, particularly for accounts used by independent contractor representatives.

The Settlements

Cetera Entities

The SEC determined that five firms—Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC and Cetera Investment Advisers LLC—(collectively, the "Cetera Entities") willfully violated the Safeguards Rule by failing to adopt policies and procedures to secure its cloud-based email accounts.

The SEC's settlement order found:

  • Between November 2017 and June 2020, cloud-based email accounts of more than 60 employees or contractors were taken over by unauthorized parties. These account takeovers resulted in exposure of the PII of more than 4,388 customers.
  • In early 2018, the Cetera Entities enabled MFA for all employees' email accounts and for 6,650 contractor representative email accounts. However, thousands of contactor representative email accounts remained without MFA, and the Cetera Entities continued to suffer account takeovers.
  • For much of the relevant period, the Cetera Entities' security policies required use of MFA for "whenever possible, but at a minimum for privileged or high-risk access." However, none of the email accounts used MFA when they were compromised, even though they routinely stored customer PII.

The SEC concluded these failures to implement MFA violated the Safeguards Rule. In particular, the SEC found that Cetera Entities' policy requiring MFA for "privileged and high-risk access" "was not reasonably designed to be applied to all email accounts of Cetera Entities' contractor[s]." Although employee and contractor accounts were similarly likely to contain PII, only employee accounts uniformly had MFA enabled.

The SEC also found that two of the Cetera Entities—Cetera Advisors and Cetera Investment Advisers—violated the Section 206(4) of the Advisers Act and Rule 206(4)(7) by sending misleading breach notifications to customers following several account takeovers. Those letters used "template language regarding the timing of the incidents that was misleading in light of the circumstances."

Specifically, the letters referred to the compromises as "recent" and said that the compromises had been discovered two months ago when, in fact, the compromises had occurred about six months prior. The two-month date provided was the date that the Cetera Entities determined that the recipients' data was included in the compromised account—not the date the underlying compromises were discovered. The SEC found that the two Cetera Entities did not implement reasonably designed policies and procedures as required by the Advisers Act because their review of the notification letters failed to correct the misleading template language.

The Cetera Entities agreed to pay $300,000 as part of the settlement.

Cambridge

The SEC determined that Cambridge Investment Research, Inc., a registered broker-dealer, and Cambridge Investment Research Advisors, Inc., a registered investment advisor (collectively "Cambridge"), violated the Safeguards Rule by failing to require that independent contractor representatives use MFA or other enhanced security measures for cloud-based email accounts containing customer PII.

The SEC's settlement order found:

  • From January 2018 through July 2021, 121 email accounts of Cambridge independent contractor representatives were taken over by unauthorized parties. These compromises led to the exposure or potential exposure of about 6,000 customers' PII. Even after discovering the compromises, Cambridge did not implement MFA or other enhanced security measures for the compromised accounts.
  • Contractor representatives were responsible for the security their accounts. During the relevant period, Cambridge security policies recommended but did not require that representatives implement MFA. In May 2021, Cambridge began requiring contractor representatives to use MFA.

The Cambridge Entities agreed to pay $250,000 as part of the settlement.

KMS Financial Services

The SEC determined that KMS Financial Services, Inc. (KMS), a registered broker-dealer and investment adviser, violated the Safeguards Rule by failing to adopt policies and procedures to secure cloud-based email accounts and by failing to maintain an adequate incident response policy.

The SEC's settlement order found:

  • From September 2018 to August 2020, KMS's security policies recommended but did not require that independent contractor advisers implement MFA for accessing sensitive data. During that period, 15 email accounts of KMS personnel were compromised, resulting in exposure of about 4,900 customers' records. Those records included customer PII.
  • Upon discovering the account compromises, KMS enabled MFA on the compromised accounts. Despite recommendations from two outside security firms that MFA be enabled for all contractor accounts, KMS did not enable MFA firmwide until August 2020.
  • KMS did not have its own incident response policy, instead using a policy tailored to another subsidiary of its corporate parent. That policy "failed to include guidelines on timeframes or schedules for response activities," and written summaries of the account compromises were not completed for several months.

KMS agreed to pay $200,000 as part of the settlement.

Conclusion

Cybersecurity remains a priority for the SEC across its jurisdiction, from issuer disclosures of cybersecurity risks and breaches to broker-dealer and investment adviser security practices. As we discussed in our prior post, the SEC plans to propose amended rules on issuers' cybersecurity risk disclosure obligations by October 2021. DWT will continue to monitor the SEC's cybersecurity regulation and enforcement activities.