SEC Orders KMS Financial Services to Pay $200,000 Penalty Over Failure to Adopt Written Policies and Procedures to Safeguard Customer Information and Records Against Cyberattacks

On August 30, 2021, the SEC ordered KMS Financial Services, Inc. (“KMS”), a dually registered broker-dealer and investment advisory firm with the SEC, to pay a penalty of $200,000 because KMS did not have written policies and procedures in place to safeguard customer information and records against cyberattacks and over a period spanning approximately fifteen months fifteen KMS financial adviser email accounts were accessed by unauthorized third parties resulting in the exposure  of personal identifying information (“PII”) of thousands of KMS customers. The SEC found KMS’s actions and failings to be a willful violation of Rule 30(a) of Regulation S-P (17 C.F.R. §248.30(a), also known as the “Safeguards Rule.” The Order can be found here.

Under the Safeguards Rule, “(a) Every broker, dealer, and investment company, and every investment adviser registered with the Commission must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to: (1) Insure the security and confidentiality of customer records and information; (2) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.”

Between September 2018 and December 2019, cyber attacks resulted in the takeover of email accounts that belonged to fifteen KMS financial advisers, meaning that an unauthorized third party was able to access the email accounts, view their contents, and act as an authorized user, which included deleting and sending emails. This unauthorized third party access resulted in the forwarding of customer PII to unauthorized email addresses that were outside KMS, as well as customers receiving phishing emails (an email designed to trick a person into providing their information so that another can gain unauthorized access to a computer service or system). In all, the cyberattacks exposed the PII of approximately 4,900 KMS customers. 

While KMS discovered the first email account compromise in November 2018, it was not until May 2020, approximately eighteen months later, that KMS adopted written policies and procedures that required additional security measures (such as enabling multi-factor authentication, or “MFA”) firm-wide, applicable to all KMS email users. Further, it was not until August 2020, approximately twenty-one months after the first cyberattack was discovered, that KMS actually implemented these additional security measures. The SEC also noted that it took several months after an email account takeover was discovered for KMS to complete a written summary of the takeover.

It appears that the SEC is not tolerating a lax approach to safeguarding PII against cyberattacks, particularly a firm’s slow response to fortifying its cyber defenses in response to such attacks. One wonders whether KMS could have mitigated the risk presented by these cyberattacks, as well as the $200,000 penalty it is now ordered to pay, if it had both adopted written policies and procedures regarding additional security measures, and implemented such measures in a more timely manner.