How would your firm ideally spend $300,000? An exotic corporate retreat sounds pretty nice. Or maybe you’re more practical and would work with your IT support partner to buy equipment and establish a hybrid working environment for your employees.
We can’t guess how you’d want to spend it, but we are confident you don’t want to hand $300,000 over to the SEC. Or $250,000. Or $200,000.
How the SEC Collected $750,000 Worth of Fines From 3 Financial Firms
The $300,000 messaging misstep
Who: Cetera Advisor Networks
- Between 2017 and 2020, “unauthorized third parties” hacked and phished their way into over 60 email accounts.
- The attack exposed the personally identifiable information (PII) – like bank account numbers and addresses – for 4,388 customers.
The breach itself didn’t cause the fine
The penalty came after the SEC discovered that Cetera Advisor Networks’ policies said multifactor authentication (MFA) should be enabled whenever possible, but MFA was not in use on any account.
Then, Cetera didn’t inform customers immediately. When they did send a notification, the wording made it sound like the breach occurred recently. It hadn’t. This creative wordsmithing, combined with not following its own MFA policy, cost Cetera $300,000 in fines.
A $250,000 delay
Who: Cambridge Investment Research
- Criminals successfully deployed common cyberattacks, like phishing and credential stuffing, to access the email accounts for 121+ independent representatives of Cambridge Investment Research.
- Hackers forwarded PII, resulting in confidential information being shared with threat actors
- Criminals also used access to send phishing messages from Cambridge Investment Research email accounts.
- 2,177 clients impacted
- 3,800 individuals potentially exposed
Procrastinate today and later you’ll pay
The breach was discovered in January 2018. Cambridge Investment Research suspended accounts and reset passwords. The firm’s cybersecurity guidance and policies included a recommendation for MFA. It was not enforced until July 2021. The 3-year delay was too slow for the SEC and led to the $250,000 fine.
Copy, paste, pay $200,000
Who: KMS Financial Services
- Hackers obtained full control of 15 KMS email addresses allowing them to establish rules and send messages from KMS accounts.
- Criminal activity exposed PII of 4,900 customers
- After the breach, KMS hired forensic firms to investigate what caused the incident.
- Multiple firms recommended adding MFA across the board, not only to the compromised accounts.
Half-hearted measures, full-bodied fines
KMS deserves some credit. In the aftermath of the breach, it turned MFA on for the compromised accounts. This goodwill was wiped out by a single action KMS did not take.
Although the forensic analysts said MFA should immediately be turned on for every account, KMS waited. Like in the case of Cambridge Investment Research, the delay was a costly decision. An attempt to cut corners compounded issues for the financial firm.
Any incident response policy you create is supposed to be yours. Not a file you find online and do a “save as” to “make it your own.” You also can’t do what KMS attempted – adopt your parent company’s policy as your own. This insufficient plan factored into the $200,000 fine levied by the SEC.
Bonus tip: If you need an incident response policy, an IT consultant will support you through the process and help you develop a tailored, compliant plan.
How to Protect Revenues and Your Reputation
The Parallels Between Fishing and Phishing – Yes, You Really ARE a Target
It’s easy to read through the examples above and think, “That’s too bad, but it won’t happen to me. No hacker cares about my firm or independent advisors.”
That is simply wrong.
The cybercriminals who carry out phishing expeditions are not snipers. They are a lot more like, well, someone who goes out fishing on the weekend.
When go fishing, you aren’t thinking about the 80-pound tuna that you know is in the lake. You throw your hook in and whatever bites is what you catch. A criminal who goes phishing has the same mentality. Sure, it’d be great to lure in the VP of a multinational company. But they’ll gleefully reel in whoever falls for their cyber bait. Including you or your lowest level employee.
MFA Should Never Cost $750,000
Multifactor authentication is an exceptional defense against the kinds of attacks the hackers successfully used to infiltrate Cetera Advisor Networks, Cambridge Investment Research and KMS. It’s also inexpensive and has a great ROI. The only time MFA is prohibitively costly is when a financial firm doesn’t ask their IT support provider to add it to every account.
Fines aren’t your only loss
When the SEC acts, the filings are published. Any current or potential client can read a court document detailing how you didn’t follow your own guidelines, acted irresponsibly with client data, or tried to manipulate the timeline of events. You can’t pay a few fines and recover your reputation.
Don’t Get Hooked and Fined – Ask an IT Support Specialist For an Assessment
Cybercriminals cast a wide net and hope for the best. You should be more tactical with your resources. Make a Rapid Security Assessment your starting point.
This evaluation will point out any critical flaws in your existing security environment – like which accounts are missing MFA. It’s less expensive than a Pentest, yet still effective. The results will provide you with a clearer picture of how to evade cybercriminals, protect confidential client data and avoid SEC fines.