The Securities and Exchange Commission settled an enforcement action against Voya Financial Advisors, Inc. related to purported deficiencies in its cybersecurity procedures that the SEC alleged contributed to a cyber intrusion and compromise of customers’ personal information. Voya is registered with the SEC as a broker-dealer and investment adviser.

According to the SEC, over six days in April 2016 one or more persons impersonated Voya independent contractor representatives, obtained a reset of three such representatives’ passwords for offsite access to Voya’s web portal for brokerage customer and advisory client personal information, and used such passwords to access the personal information of at least 5,600 Voya customers and obtain account documents containing personal information of a least one customer. The SEC said that, in two instances, the impersonators obtained the password resets calling from phone numbers Voya previously had identified as associated with fraudulent activity. In two instances, Voya personnel also gave the impersonators the relevant representatives’ user names.

Although the first compromised independent contractor representatives contacted Voya three hours after the impersonation scheme to note he had never requested a password change, the firm did not take adequate measures to prevent the two subsequent impersonation activities, alleged the SEC. Moreover, Voya did not cut off the intruders’ access to the three representatives’ accounts due to “deficient cybersecurity controls and an erroneous understanding of the operation of the portal,” charged the SEC.

The SEC alleged that Voya’s breakdown constituted violations of SEC rules designed to protect customer information and prevent and to respond to cybersecurity incidents, as well as to detect, prevent and mitigate identity theft.

Voya agreed to pay a fine of US $1 million to the SEC to resolve its charges as well as retain an independent consultant to assess cybersecurity programs related to protecting customer information and to adopt all recommendations for improvement.

The SEC acknowledged that there were no identified unauthorized transfers of funds or securities from any customers’ account attributable to the breach.

Compliance Weeds: Voya was specifically charged with violations of the SEC’s Safeguard Rule. (Click here to access Regulation S-P Rule 30(a), 17 C.F.R. § 248.30(a)) and here for a copy of the Theft Red Flags Rule, Regulation S-ID Rule 201, 17 C.F.R. § 248.201.)

Under the Safeguard Rule, broker-dealers, investment companies, and investment advisers must have written policies that ensure the security and confidentiality of customer records and information and protect against any anticipated threats, hazards, or unauthorized access to or use of such records and information in a way that might cause customers substantial inconvenience or harm.

Under the SEC’s Theft Red Flags Rule, the same group of registered entities and certain other registrants must also implement an identity theft prevention program that aims to detect, prevent and mitigate identity theft in connection with the opening and maintenance of any covered account. This program must be appropriate in light of the size and complexity of the financial institution and nature and scope of its activities. A covered account includes an account for personal, family or household purposes that is intended to permit multiple payments or transactions. This includes a brokerage account or an account at an investment company. However, a covered account also includes any account at a financial institution “where there is a reasonable or foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.”

(Click here for additional information regarding the SEC’s Safeguard Rule and here for more information regarding the Theft Red Flags Rule.)

The Commodity Futures Trading Commission requires futures commission merchants, introducing brokers, commodity trading advisers, commodity pool operators, and certain other registrants to comply with its version of the Theft Red Flags Rule. (Click here to access CFTC Part 162.)

(Click here to access the Federal Register release explaining the adoption of both the SEC’s and CFTC’s final Theft Red Flags Rule.)