The Securities and Exchange Commission (SEC) on Monday penalized eight firms across three separate actions for breaches of employee email accounts that exposed the personal information of thousands of customers in each case.

Five separate subsidiaries of Cetera Financial Group agreed to pay a total of $300,000 for their collective alleged violations. Cambridge Investment Research and Cambridge Investment Research Advisors will pay a total of $250,000, while KMS Financial Services will be fined $200,000.

At each entity, the cloud-based email accounts of employees were taken over by unauthorized third parties. Each company was cited for violating the Safeguards Rule of Regulation S-P, which requires SEC-registered broker-dealers and investment advisers to adopt written policies and procedures reasonably designed to safeguard customer records and information.

The Cetera breaches took place between November 2017 and June 2020 and exposed the personal information of nearly 4,500 customers, according to the SEC. The firm was aware of the unauthorized access, obtained via phishing, credential stuffing, and other forms of cyber-attacks, as soon as January 2018 and responded by mandating multi-factor authentication (MFA) be turned on. Despite this rule, breaches allegedly continued until 2020 in accounts that did not have MFA active.

The SEC also criticized Cetera for including misleading language in breach notifications to customers regarding the timeline of the alleged incidents.

The Cambridge vulnerability went from January 2018 until July 2021, according to the SEC. The personal information of nearly 2,200 customers was allegedly exposed by hacking methods similar to the Cetera case. Cambridge discovered the unauthorized access in January 2018 but did not require MFA for all cloud-based accounts until last month, the SEC stated.

At KMS, the personal information of approximately 4,900 customers was allegedly exposed between September 2018 and December 2019. Only 15 employee accounts were breached, with customers receiving phishing emails as a result of the vulnerability, the SEC stated. KMS responded by resetting the passwords of the accounts and enabling MFA, but these measures were not fully implemented until 21 months after discovery of the first breach, according to the SEC.

“Investment advisers and broker dealers must fulfill their obligations concerning the protection of customer information,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit, in a press release. “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”