Friday, September 28, 2018

First SEC enforcement charging violations of the Identity Theft Red Flags Rule

By R. Jason Howard, J.D.

The SEC has accepted an offer of settlement from Iowa-based, dually registered broker-dealer and investment adviser, Voya Financial Advisors, Inc. (VFA), for failures in its cybersecurity policies and procedures involving a breach that compromised the information of thousands of its customers (In the Matter of Voya Financial Advisors, Inc., Release No. 34-84288, September 26, 2018).

Cybersecurity intrusion. The SEC’s order stemmed from a cyber intrusion that occurred over a six-day period in 2016 where VFA contractors were impersonated and convinced VFA’s support line to change passwords which allowed them to access the personal information of 5,600 VFA customers. The order also found that weakness in VFA’s cybersecurity policies and procedures led to VFA’s failure to terminate the intrusion in a timely fashion.

Charges. VFA was charged with “violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft.”

“Customers entrust both their money and their personal information to their brokers and investment advisers,” said Stephanie Avakian, Co-Director of the SEC Enforcement Division. “VFA failed in its obligations when its deficiencies made it vulnerable to cyber intruders accessing the confidential information of thousands of its customers.”

“This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Robert A. Cohen, Chief of the SEC Enforcement Division’s Cyber Unit. “They also must review and update the procedures regularly to respond to changes in the risks they face.”

Penalties. Without admitting or denying the SEC’s findings, VFA has agreed to a censure and a $1 million penalty. It will also retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule and related regulations.

The release is No. 34-84288.