The Securities and Exchange Commission announced Sept. 26 that Voya Financial Advisors has agreed to pay $1 million to settle charges related to its failures in cybersecurity policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers.
The SEC charged the Des Moines-based broker-dealer and investment adviser with violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft. The SEC also reported that the Voya enforcement action marks the first time it has charged a violation of the Identity Theft Red Flags Rule.
According to the SEC, cyber intruders impersonated Voya contractors over a six-day period in 2016 by calling Voya’s support line and requesting that the contractors’ passwords be reset. The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers. The intruders then used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers.
The SEC determined that Voya’s failure to terminate the intruders’ access stemmed from weaknesses in its cybersecurity procedures, some of which had been exposed during prior similar fraudulent activity. According to the SEC order, Voya also failed to apply its procedures to the systems used by its independent contractors.
Without admitting or denying the SEC’s findings, Voya agreed to be censured and pay a $1 million penalty. Also, the firm will retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule and related regulations.
“This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Robert A. Cohen, Chief of the SEC Enforcement Division’s Cyber Unit in a statement. “They also must review and update the procedures regularly to respond to changes in the risks they face.”
In May 2017, the SEC issued an alert that involved a review of 75 SEC-registered broker-dealers, investment advisers and investment companies to assess industry practices and legal, regulatory and compliance issues associated with cybersecurity preparedness.
In 2015, the SEC offered guidance on the cybersecurity risks that financial firms face, and in 2016 the ERISA Advisory Council issued a report that sets forth considerations for the industry on navigating cybersecurity risks.
At the 2018 NAPA 401(k) Summit in April, Rachel Wilson, head of cybersecurity for Morgan Stanley’s Wealth Management unit, provided some cybersecurity advice for advisors. At the conference, we also polled more than 500 advisors on how their plan sponsor clients view cyber threats. Additionally, a NAPA Net reader poll in November 2017 gauged the cybersecurity concerns of advisors and plan sponsors. Other posts on the cybersecurity threat can be found here and here.
