SEC cybersecurity enforcement

19 December 2018, Investment Funds, by Vincent Gao,

Voya Financial Advisors, Inc. (VFA), a registered broker-dealer and investment adviser, was charged in September 2018 with violating the Safeguards Rule and the Identity Theft Red Flags Rule (collectively, the Rules) of the U.S. Securities and Exchange Commission (SEC), which are designed to safeguard confidential customer information and to protect against identity theft.

According to the SEC settlement order, hackers impersonated VFA’s contractors and successfully reset the contractors’ passwords by calling VFA’s telephone support line. Using these passwords, the hackers gained access to personally identifiable information of at least 5,600 VFA customers, and this information was then used to create new online customer profiles and to obtain access to account documents of at least one customer. There were however no detected unauthorized transfers of funds or securities from the affected accounts as a result of the breach.

When VFA became aware of the breach, it took steps to block the malicious IP addresses, revised its user authentication policy to prohibit provision of temporary passwords by telephone and issued notices to affected customers which described the breach and offered one year of free credit monitoring. VFA also named a new chief information security officer. 

The SEC however found VFA’s response to the breach to be inadequate. Although VFA had existing cybersecurity policies and procedures in place, the SEC alleged, in relation to the Safeguards Rule, that VFA’s policies and procedures, including with respect to the resetting of passwords and the identification of higher-risk representatives and customer accounts for additional security measures were not reasonably designed, nor reasonably designed to be applied to its contractors. The SEC also alleged that VFA had not provided adequate training to its employees with respect to its Identity Theft Prevention Program and that in any event this program did not include reasonable policies and procedures to respond to identity theft red flags, nor was the program reviewed and updated in response to changes in risks to VFA’s customers.

Without admitting to the SEC’s findings, VFA agreed to a $1 million settlement for the alleged failures in its cybersecurity policies and procedures. VFA was also required to retain an independent consultant to review its policies and procedures for compliance with the Rules.

Conclusion

This is the first SEC enforcement action in relation to a violation of the Identity Theft Red Flags Rule and it provides guidance on the SEC’s expectations relating to cybersecurity policies and procedures. It also provides a look at the potentially severe regulatory, financial and reputational risks where actions taken by registered broker-dealers and investment advisers to comply with the Rules fall short. In particular, it appears that merely having cybersecurity policies and procedures in place will not be sufficient if they are not reasonably designed or ineffective.