Financial firms must start taking cyber security more seriously, as it is something the UK regulator is likely to get tough on, Financial Technology Research Centre founder and director Ian McKenna has warned.

US regulator the Securities and Exchange Commission (SEC) has become increasingly strict with firms which allow cyber security breaches.

It announced last month that it had sanctioned eight firms in three actions for failures in their cybersecurity policies and procedures.

The failures had resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm.

McKenna said it is a matter of “when, not if,” the Financial Conduct Authority gets tough on this.

“While some firms are clearly changing their practices, we still see activity regularly where firms simply are not taking cyber security sufficiently seriously,” he added.

“This is an area where networks and support groups can add a lot of value to help smaller firms implement the right procedures.”

The eight firms which have agreed to settle the charges in the US are: Cetera Advisor Networks, Cetera Investment Services, Cetera Financial Specialists, Cetera Advisors, Cetera Investment Advisers, Cambridge Investment Research, Cambridge Investment Research, and KMS Financial Services.

All were commission-registered as broker dealers, investment advisory firms, or both.

“Investment advisers and broker dealers must fulfil their obligations concerning the protection of customer information,” said Kristina Littman, chief of the SEC enforcement division’s cyber unit.

“It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

The SEC’s orders against each of the firms finds that they violated ‘rule 30(a) of regulation S-P’ – also known as the ‘safeguards rule’ – which is designed to protect confidential customer information.

The SEC’s order against the Cetera Entities found that, between November 2017 and June 2020, cloud-based email accounts of over 60 Cetera Entities’ personnel were taken over by unauthorised third parties

This resulted in the exposure of personally identifying information (PII) of at least 4,388 customers and clients.

None of the taken over accounts were protected in a manner consistent with the Cetera Entities’ policies.

The SEC’s order also found that Cetera Advisors and Cetera Investment Advisers sent breach notifications to the firms’ clients, which included misleading language suggesting the notifications were issued much sooner than they actually were after discovery of the incidents.

According to the SEC’s order against Cambridge, between January 2018 and July 2021, cloud-based email accounts of over 121 Cambridge representatives were taken over by unauthorised third parties, resulting in the PII exposure of at least 2,177 Cambridge customers and clients.

The regulator also found that, although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021.

This resulted in the exposure and potential exposure of additional customer and client records and information.

According to the SEC’s order against KMS, between September 2018 and December 2019, cloud-based email accounts of 15 KMS financial advisers or their assistants were taken over by unauthorised third parties. This caused the PII exposure of approximately 4,900 KMS customers and clients.

The SEC’s order further revealed that KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020.

Additionally, it did not fully implement those additional security measures firm-wide until August 2020, placing additional customer and client records and information at risk.