The Securities and Exchange Commission has imposed a total of $750,000 in penalties and censured a number of financial firms including Cambridge Investment Research over cybersecurity lapses, according to an announcement on Monday.
The SEC said the independent broker-dealers failed to implement cybersecurity policies and tools, including multi-factor identification, which allowed hackers to breach employees’ and brokers’ cloud-based email accounts and access to clients’ personal information. In some cases, the firms had also failed to promptly notify customers or implement changes to secure their systems after the issues were uncovered, according to the SEC.
At Cambridge Investment Research Advisors, hackers took over 121 broker email accounts between January 2018 and July 2021, exposing personal information of at least 2,177 clients.
The report says that although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021, resulting in the exposure and potential exposure of additional customer and client records and information,” the federal agency said.
A spokesperson for Fairfield-based Cambridge, which has around 3,600 independent brokers, according to its site, said the company “has and does maintain a robust information security group and procedures to ensure client’s accounts are fully protected.”
Cambridge has agreed to pay a $250,000 penalty in the case.