The SEC announced on September 26, that a Des Moines-based broker-dealer and investment adviser has agreed to pay $1 million to settle charges related to its failures in cybersecurity policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers.
Voya Financial Advisors Inc. (VFA) is charged with violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft. This is the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule.
The fine relates to a 2016 incident in which the SEC claims that bad actors posing as contractors allegedly infiltrated the firm’s support system, convinced staff to update their passwords, and then succeeded in creating new profiles. According to the SEC, access was gained to the personal information of over 5,500 customers.
The order also finds that VFA’s failure to terminate the intruders’ access stemmed from weaknesses in its cybersecurity procedures, some of which had been exposed during prior similar fraudulent activity. According to the order, VFA also failed to apply its procedures to the systems used by its independent contractors, who make up the largest part of VFA’s workforce.
According to Stephanie Avakian, Co-Director of the SEC Enforcement Division, “VFA failed in its obligations when its deficiencies made it vulnerable to cyber intruders accessing the confidential information of thousands of its customers.”
“This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Robert A. Cohen, Chief of the SEC Enforcement Division’s Cyber Unit. “They also must review and update the procedures regularly to respond to changes in the risks they face.”
This enforcement case demonstrates that the SEC continues to focus on cybersecurity as part of its examination program. Contact Warren Finkel at 646.558.6358 to schedule a strategic cybersecurity assessment to determine the weaknesses in you system.
View the entire SEC press release here.