A U.S.-based brokerage firm that suffered numerous cyberattacks that exposed clients’ personal data is being sanctioned in a settlement with the U.S. Securities and Exchange Commission (SEC).
The regulator reached a settlement with M Holdings Securities, Inc., a Portland-based broker-dealer and investment adviser, involving allegations that it breached securities rules by failing to maintain adequate cyber defences.
In its order, the SEC alleged that, between 2019 and 2024, the firm didn’t have policies and procedures that were reasonably designed to protect client’s data and guard against identity theft.
At the time, the regulator alleged that 17 of its registered reps suffered email account takeovers that were used for phishing and “credential harvesting” efforts that exposed the data of 8,500 people, including clients.
The SEC’s order said that the firm didn’t have any written cybersecurity policies until September 2020, when it adopted a policy of requiring individual branches to adopt their own policies and controls.
This policy wasn’t adequate, the SEC alleged, because many of its branches, including those that suffered email account takeovers “continued to lack required information security policies and controls, such as multi-factor authentication, annual security awareness training, and written incident response policies, through March 2024.”
The firm agreed to settle the charges, without admitting or denying the allegations, by being censured, and paying a US$325,000 civil penalty.