Adding insult to injury, the Securities and Exchange Commission (SEC) fined Voya Financial Advisors Inc. (VFA) $1 million and ordered a comprehensive two-year review by a compliance consultant, following a cyber-attack on VFA’s business. On September 26, 2018, in the first-ever SEC enforcement action charging violations of the Identity Theft Red Flags Rule, VFA agreed to settle charges that it violated its cybersecurity obligations stemming from a cyber-attack that compromised the personal information of over 5,000 customers. This enforcement action demonstrates to securities firms the importance of not only implementing cybersecurity policies and procedures, but also making sure they have teeth. Cybersecurity programs must be comprehensive, current, enforced and taught internally, as well as vigorously followed when red flags warn of an attempted or completed cyber breach. Given the current regulatory emphasis on protecting customer information from cyber hacks, securities firms should expect continued heightened scrutiny of their cybersecurity programs. Preventing cyber hacks is virtually impossible given the sophistication of today’s hackers, as the SEC well knows. Having a robust cybersecurity program puts securities firms in a strong position to minimize the damage of a breach, including fending off a regulatory enforcement action.
SEC Cybersecurity Requirements
The Identity Theft Red Flags Rule requires certain SEC-regulated entities, including broker-dealers and investment advisors, to develop and implement a written identity theft prevention program designed to detect, prevent and mitigate identity theft of customer accounts. Specifically, the Identity Theft Red Flags Rule requires firms to: (1) identify relevant types of identity theft red flags; (2) detect those red flags; (3) appropriately respond to the red flags; and (4) update the program periodically. The rules do not require specific red flags to be listed in the policies. Instead, each firm must adopt a program tailored to the risks unique to their business. The Safeguards Rule requires broker-dealers and investment advisors to adopt written policies and procedures reasonably designed to protect against unauthorized access to customer records and information.
In recent years, the SEC has increasingly reinforced its expectation that firms comply with the cybersecurity requirements. For example, in March 2014, the SEC held a Cybersecurity Round Table to discuss cybersecurity risks facing the securities industry and how best to combat them. In addition, the SEC’s Office of Compliance Inspections and Examinations (OCIE) identified cybersecurity as a priority item every year from 2015 to 2018. Last fall, the SEC’s Enforcement Division formed a Cyber Unit that specializes in cybersecurity-related matters – this unit was credited with leading the investigation that resulted in the charges against VFA. Moreover, SEC Chairman Jay Clayton issued a statement in February 2018 highlighting the securities industry’s increasing reliance on technology and the associated cybersecurity risks, and urging entities to examine their respective cybersecurity controls and procedures.
The SEC Action Against VFA
The impetus for the SEC’s charges against VFA was an April 2016 cybersecurity incident involving a breach into VFA’s web portal that VFA contractor representatives utilized to manage customer accounts. One or more cyber perpetrators telephoned VFA’s technical support line, impersonated three VFA contractor representatives, and were provided temporary passwords over the phone that the perpetrator(s) used to access the web portal. The perpetrator(s) thereafter accessed personally identifiable information (PII) for over 5,000 customers. Fortunately for VFA and its customers, the SEC found no evidence of unauthorized transfers of funds or securities from customer accounts.
A review of the SEC’s Order against VFA is instructive on the factors and conduct that could cause the SEC to deem a firm in violation of the Identity Theft Red Flags Rule and Safeguard Rule despite the existence of cybersecurity policies and procedures. While we likely will never know what circumstances compelled the SEC to charge and fine VFA and mandate a costly independent compliance review, we submit that the following findings were significant and warrant review by securities firms.
- VFA failed to tailor its policies and procedures to its business model, which involved a network of contractor representatives (including some working in remote offices) accessing customer information through the web portal. For example, VFA (1) did not adequately enforce inactivity timeouts on web portal sessions; (2) was not able to terminate remote sessions; (3) did not require users to answer security questions when connecting a new device; and (4) failed to ensure that contractor representatives installed updated antivirus and encryption software on their computers.
- VFA failed to mitigate the cyber intrusion after a VFA contractor representative alerted a technical support employee that the representative had received an email confirming a password change he/she did not request. Despite being alerted to this potential breach, VFA failed to take appropriate measures, which enabled the perpetrator(s) to subsequently impersonate two other contractor representatives and gain additional access to the VFA web portal.
- VFA’S policies did not require its staff to (nor did the staff) cross-reference two phone numbers used by the perpetrator(s) against an internal fraud monitoring phone list. Doing so would have alerted VFA that the two phone numbers had been previously flagged as being associated with prior fraudulent activity that similarly involved attempts to impersonate VFA contractor representatives.
- VFA’s policies and procedures for responding to breaches and mitigating identify theft following a cyber intrusion were not reasonably designed to deny or limit unauthorized access to customer PII. The VFA staff that responded to the cyber incidents were not adequately trained and mistakenly believed that resetting a password for a contractor would automatically terminate the contractor’s existing sessions. Nor did VFA have reasonable procedures to change security codes or take other measures to deny unauthorized access to customer accounts after learning of the intrusion.
- VHA failed to substantially review or update its Identity Theft Prevention Program after implementation in 2009 despite major changes in the firm’s risk profile and the significant evolution of cybersecurity threats.
- VFA’s policies did not explicitly prohibit its staff from providing usernames to users over the phone and did not require temporary passwords to be sent via secure email.
Securities Firms Should Assess Their Cybersecurity Program
The VFA enforcement action is a stark reminder that merely implementing cybersecurity policies and procedures will not insulate a securities firm from SEC prosecution. The SEC expects firms to have current and robust cybersecurity programs.
Given the current regulatory focus on cybersecurity, firms would be wise to take a critical look at their cybersecurity programs and ask the following questions:
- Is the cybersecurity program adequately designed to match the risk profile of the business?
- Is our firm proactively teaching and enforcing our policies and procedures?
- Are we routinely testing our systems to verify that the systems in place can adequately manage a cyber incident?
- Are we periodically reviewing and updating the cybersecurity program and data breach systems to protect against ever-evolving cybersecurity threats?
- Has our firm experienced any cyber-attacks and, if so, was our response adequate?
When assessing cybersecurity programs, we recommend securities firms consider the five points below.
- Robust policies and procedures, tested and updated regularly, are an essential and expected part of any cybersecurity program. As recent enforcement actions demonstrate, however, regulators will critically evaluate how such policies and procedures are actually implemented in response to cybersecurity incidents. Even if no customer harm results from an incident, firms will be expected to demonstrate that policies were reasonable, tested and followed.
- Firms are expected to stay abreast of tools available to assist in cybersecurity efforts. Penetration and vulnerability testing are now generally expected. Many firms employ behavioral analytics to train staff to identify and respond to threats. Firms should continually assess how they identify, escalate and respond to threats on an ongoing basis and utilize tools that are reasonable given the firm’s particular business model.
- While most firms utilize third-party vendors to assist with cybersecurity, the SEC has made clear that firms remain ultimately responsible for meeting their cybersecurity obligations. Firms should vet their vendors, supervise their vendors on an ongoing basis, and take appropriate actions if threats related to third-party vendors are identified.
- A comprehensive, prompt response to potential threats or red flags is critical. Regulators will expect firms to identify red flags apparent from their systems, to escalate those issues appropriately, and to promptly take action to neutralize the threat and minimize any damage.
- Don’t be penny wise and pound foolish regarding cybersecurity. As the VFA case demonstrates, investment in systems, training and oversight is important and can prevent costly data breaches and regulatory penalties.