The Securities and Exchange Commission (SEC) has long been focused on cybersecurity related issues to ensure the integrity of market systems and to safeguard the security of customer data. As part of that focus, in September 2017, the SEC announced certain enforcement initiatives to combat cyber-based threats along with the creation of a dedicated Cyber Unit, which specifically investigates cyber-related misconduct. Over the course of the past few years, the SEC has launched a handful of actions addressing hacking and cyber-intrusions that resulted in the exposure of confidential personal identifiable information.

On September 26, 2018, the SEC announced a major enforcement settlement with Voya Financial Advisors, Inc. (VFA) which agreed to pay $1 million relating to alleged failures in the firm’s cybersecurity policies and procedures surrounding a cyber-security event that compromised personal information of thousands of its customers in violation of the Rule 30(a) of Regulation SP (17 C.F.R. § 248.30(a) (the Safeguards Rule) and Rule 201 of Regulation S-ID (17 C.F.R § 248.201) (the Identity Theft Red Flags Rule)(SEC Consent Order dated September 26, 2018). VFA neither admitted nor denied the SEC’s findings. In addition to the $1 million penalty and censure, VFA agreed to retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule, the Identity Theft Red Flags Rule and related regulations. This matter stands as the SEC’s first enforcement action charging violations of Regulation S-ID.

According to the SEC’s order, over the course of a six day period in April 2016, individuals impersonating three of VFA’s independent contractor representatives (contractors) who typically have access to VFA’s systems though a remote access portal, telephoned VFA’s technology support line and duped VFA’s support staff into resetting access passwords, providing temporary passwords and contractors’ usernames. The SEC found that telephone numbers used by the intruders had already been used in prior fraudulent activity, including prior telephone calls to VFA support staff attempting to impersonate contractors.

Armed with the stolen information, the intruders used the contractors’ credentials to login to VFA’s remote portal and access personal information of some 5,600 customers. They also managed to access the account documents of three customers. Although VFA support staff received information suggesting that the unauthorized access may have occurred and took steps to respond to the intrusion, according to the SEC order, their response did not prevent further efforts by the intruders to impersonate other contractors. As a result, over the following few days, additional password information was improperly provided to the intruders, and additional unauthorized access occurred. VFA was also unable to terminate the intruder’s access to the initial contractors’ accounts which, according to the SEC order, was “due to deficient cybersecurity controls and an erroneous understand of the operation of the [online access] portal.”

The Safeguard Rule requires every broker-dealer and every registered investment advisor to adopt “written policies and procedures to address administrative, technical and physical safeguards” that are “reasonably designed” to protect customer records and information and prevent unauthorized access. The Identify Theft Red Flags Rule requires B/Ds and RIAs to develop and implement a written Identify Theft Prevention Program (ITPP), which is to include reasonable policies to identify relevant red flags that may occur in company’s day-to-day operations. The program must be designed to detect possible fake, forged or altered identification, detail the appropriate actions to deter red flags and set forth how the company will keep it current to reflect new threats.

In sum, according to the SEC order, although VFA had written cybersecurity policies and procedures, its procedures were not reasonably designed to address the specific risks posed by its business model and it failed to review and update its procedures in response to changes in risks to its customers or provide adequate training to its employees.

“This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models,” stated Robert A. Cohen, Chief of the SEC Enforcement Division’s Cyber Unit, in a related SEC press release. “They also must review and update the procedures regularly to respond to changes in the risks they face,” Cohen advised. Also, this case reflects the reality that even where the most sophisticated technological systems are employed, firms must be rigorous in their training of personnel regarding cybersecurity risks in order to mitigate avoidable human factors of cybersecurity.