M Holdings Securities Inc led by Russell Bundschuh operated 120 branch offices without proper information security controls from July 2019 through March 2024, even after implementing policies in September 2020 that member firms simply ignored.
Russell was appointed President & CEO of M Financial Group in early 2022, after previously serving as Senior Vice President of Chubb Group and President of Chubb Life, overseeing global life insurance and reinsurance operations.
M Financial Group, a Portland-based broker-dealer managing $4.1 billion in client assets, has agreed to pay $325,000 to settle Securities and Exchange Commission charges that it maintained inadequate cybersecurity policies for five years while 17 email account takeovers exposed personally identifiable information of approximately 8,500 individuals.
The SEC order reveals M Holdings adopted an Information Security Policy in 2020 requiring basic protections like multi-factor authentication and incident response procedures. Data collected in 2021 and 2023 showed widespread non-compliance. Rather than enforce consequences, M Holdings allowed violations to continue while 13 member firms experienced email compromises that sent malicious credential-harvesting messages from trusted accounts.
The Decentralized Structure That Enabled Failure
M Holdings provides services through approximately 700 registered representatives at 120 branch offices designated as “member firms.” These independent operations sign customers to M Holdings agreements and generate revenue from which the firm retains a portion. Parent company M Financial Holdings owns the broker-dealer but maintains no SEC registration, creating a structure where M Holdings bears regulatory responsibility for security it struggled to control.
Before September 2020, M Holdings had no written policies governing information security across member firms—creating what the SEC characterized as “inadequate and inconsistent information security policies and controls.” The firm’s eventual policy outlined requirements in 17 categories including multi-factor authentication, annual training, and incident response procedures.
M Holdings distributed a model policy through an online platform. Self-reported data from 2021 and 2023 revealed numerous member firms lacked required protections. Four firms experienced second email takeovers during the period. M Holdings imposed no consequences and never revised its policies to address the failures.
Seventeen Breaches and 8,500 Exposed Individuals
Between July 2019 and March 2024, unauthorized third parties gained access to business email accounts of 17 registered representatives and employees across 13 member firms. These takeovers occurred through phishing attacks and other methods that multi-factor authentication would likely have prevented. The compromised accounts then became weapons, sending malicious emails to approximately 8,500 recipients including a significant number of M Holdings customers.
The credential-harvesting emails sent from compromised accounts asked recipients to click links, open documents, or enter information that would expose their login credentials. One breach resulted in an unauthorized wire transfer from a customer account—a direct financial loss beyond the exposure of personally identifiable information stored in the hacked email systems. The attacks exploited the trust customers placed in communications from their financial advisors’ email addresses.
Four member firms experienced two separate email account takeovers during the five-year period, affecting approximately 2,952 of the 8,500 total impacted individuals. These repeat breaches at the same locations demonstrate catastrophic failure: firms experiencing one compromise failed to implement protections preventing a second. M Holdings, despite receiving incident reports and compliance data showing these firms lacked required security controls, allowed them to continue operating without consequence.
Identity Theft Program Frozen in Time
M Holdings also failed to maintain an adequate Identity Theft Prevention Program as required by Regulation S-ID. The firm had a written program in its compliance manuals and conducted training, but the program remained unchanged from at least 2015 through March 2024 despite significant cybersecurity threats.
Regulation S-ID requires firms to update programs periodically to reflect risk changes. M Holdings experienced 17 email takeovers but never incorporated cybersecurity-specific red flags into its program. The document addressed identity theft abstractly while ignoring concrete cyber intrusions affecting its network. Response procedures contained no guidance for member firms facing the email compromises they actually experienced. M Holdings never assessed whether accounts qualified as “covered accounts” under the regulation.
Remedial Measures After Enforcement
Following the SEC investigation, M Holdings hired a Chief Information Security Officer, Chief Privacy Officer, and Assistant Vice President of Technology—positions absent during five years of failures. The firm plans to create enforcement mechanisms in 2025 to hold non-compliant member firms accountable. New risk assessments, onboarding reviews, and compliance attestations now supplement training programs. Data loss prevention tools and vendor risk management now provide oversight—measures implemented only after regulators intervened.
Conclusion
M Holdings Securities will pay $325,000—roughly $38 per exposed individual—to resolve charges that it willfully violated Regulation S-P Rule 30(a) and Regulation S-ID Rule 201 for five years. The penalty represents approximately 0.008% of its $4.1 billion in assets under management, a financial consequence unlikely to deter similar failures at firms conducting cost-benefit analyses of compliance investments versus regulatory risks. The case, investigated by Assistant Regional Director Rahul Kolhatkar of the SEC’s San Francisco office, underscores how decentralized business models can enable institutional failures when parent companies collect revenue from branch operations without enforcing basic security standards that protect the customers who generate those fees.
Leave a Reply