SEC Charges Firm with Deficient Cybersecurity Procedures

The SEC announced a settlement with Voya Financial Advisors Inc., a broker-dealer and investment adviser, relating to failures in cybersecurity policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers. The firm agreed to pay $1 million to settle charges that it violated the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft. This is the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule. According to the SEC’s order, cyber intruders impersonated VFA contractors over a six-day period in 2016 by calling VFA’s support line and requesting that the contractors’ passwords be reset. The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers, among other things.  The SEC found that VFA’s failure to terminate the intruders’ access stemmed from weaknesses in its cybersecurity procedures, some of which had been exposed during prior similar fraudulent activity.  According to the order, VFA also failed to apply its procedures to the systems used by its independent contractors, who make up the largest part of its workforce. The firm did not admit or deny the SEC’s findings.