In the first enforcement of the Identity Theft Red Flags Rule, the U.S. Securities and Exchange Commission (SEC) fined Voya Financial Advisors, Inc. $1,000,000 for failing to provide training on and reasonably design its written policies and procedures to mitigate identity theft. On September 26, 2018, the SEC announced a settled enforcement action against Voya, a dually registered broker-dealer and investment advisor, arising from a cyber intrusion that compromised personal information of thousands of customers.

The SEC’s order describes a six-day period in 2016 during which cyber intruders impersonated Voya contractors by calling Voya’s support line and requesting that their passwords be reset. With the new temporary passwords, the intruders obtained access to the personal information of 5,600 Voya customers. From there, they were able use that information to create new online customer profiles and get access to account documents for three customers. There were no unauthorized transfers of funds or securities from Voya customer accounts.

The SEC alleged that Voya had violated the Safeguards Rule, which requires broker-dealers and investment advisers adopt written policies and procedures that provide for the protection of customer records and information, and the Identity Theft Red Flags Rule, which requires them to develop and adopt a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft.

Voya had written policies and procedures, but the SEC alleged that in light of Voya’s business model and risk profile, they were not reasonably designed to: “(1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.” Significantly, several of Voya’s cybersecurity policies and procedures were not reasonably designed to be applied to its contractor representatives or to their remote systems, and they were not updated to reflect changes in risks to customers from identity theft. Moreover, Voya failed to provide training specific to preventing identity theft. Accordingly, the intruders were able to obtain access because of Voya’s weaknesses in those procedures, some of which had been exposed by previous fraudulent activity. The SEC order includes a detailed description of how the intruders obtained access, and should be required reading for everyone who establishes or oversees a cybersecurity program.