On August 30th, the SEC sanctioned financial firms, Cetera Entities, Cambridge, and KMS for their failures in cybersecurity policies that resulted in breaches affecting thousands of customers and clients. All firms were Commission-registered as broker dealers, investment advisory firms, or both. This sanction highlights the growing importance of third-party risk management for financial firms as well as the urgency of effective internal risk evaluation.

Cetera Entities, Cambridge, and KMS all had personnel emails taken over by an unauthorized third party attack which exposed personally identifying information of thousands of customers and clients. The fact that they were breached is only half of the story - it’s how they were breached and how they handled it that makes these firms a true cautionary tale.

In their investigation, the SEC found that none of the accounts taken over in Cetera Entities were protected in accordance with their own security policies. They had the cybersecurity policy, but it wasn’t being implemented or monitored.

Both Cambridge and KMS failed to implement cybersecurity measures quickly enough after their initial breach. Both firms discovered the first email takeover in 2018 but neither firm enacted a cybersecurity policy to limit exposure until 2020 for KMS and 2021 for Cambridge. It’s hard to say why exactly the firms took so long to implement firm-wide security measures for cloud-based email accounts, but what we can say for certain is that it cost them.

The financial costs alone for this type of risk mismanagement is staggering. Cetera Entities will pay a $300,000 penalty, Cambridge will pay a $250,000 penalty, and KMS will pay a $200,000 penalty. In addition to the penalties, all three firms will be dealing with the reputational consequences for years to come.

This is a clear cut example of internal risk. In Cetera’s case, having a cybersecurity policy wasn’t enough because it simply wasn’t being executed. A strong internal risk management program consistently monitors the policies to confirm that they are being used and updated. When a break in policy is discovered, there should be clear action items to address the issue within days, not years. For Cambridge and KMS, we see a failure in urgency. Cybersecurity can be extremely complex and scary - it’s easy to push it aside to focus on “more important” matters, but in reality, it’s mission critical.

"Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information," said Kristina Littman, Chief of the SEC Enforcement Division's Cyber Unit. "It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."

An organization’s risk management program is becoming more essential every day as we see breaches like this increase in frequency. All organizations, large and small, are at risk from both outside third parties and internally. The good news is that we can learn from firms like Cetera, Cambridge, and KMS… along with all the firms that have been breached in the last 10 years. Cybersecurity and risk management is getting better by the minute and Privva is leading the charge. You don’t have to reinvent risk management - there are best practices ready to be implemented and monitored.

Privva works with some of the top financial firms in the industry to reduce exposure and stay in compliance. If you would like to learn more about risk management, feel free to contact us for a consultation.