I’ve said it for a long time. It’s imperative that plan sponsors and plan providers wake up about cybersecurity issues. The recent action by the Securities and Exchange Commission (SEC) is just a harbinger of things to come when the Department of Labor (DOL) finally gets its act going.
The SEC sanctioned 8 firms for their failures in their policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm.
The eight firms, which were dinged, are Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera Entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS). Each firm agreed to cease and desist from future violations of the charged provisions, to be censured, and to pay a penalty.
The SEC claimed that each of the firms violated Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which is designed to protect confidential customer information. The SEC’s order against the Cetera Entities also finds that Cetera Advisors LLC and Cetera Investment Advisers LLC violated Section 206(4) of the Advisers Act and Rule 206(4)-7 in connection with their breach notifications to clients.
More is yet to come.