July 2, 2020

Volume X, Number 184

July 01, 2020

Subscribe to Latest Legal News and Analysis

June 30, 2020

Subscribe to Latest Legal News and Analysis

June 29, 2020

Subscribe to Latest Legal News and Analysis

SEC Settles Charges Against Firm for Inadequate Cybersecurity and Identity Theft Prevention Programs

On September 26, 2018, the SEC announced that it had settled administrative proceedings against Voya Financial Advisors, Inc., a dually registered broker-dealer and investment adviser, for the firm’s alleged failure to (1) adopt written policies and procedures reasonably designed to protect customer records and information, in violation of Rule 30(a) of Regulation S-P (the Safeguards Rule); and (2) develop and implement a written Identity Theft Prevention Program as required by Rule 201 of Regulation S-ID (the Identity Theft Red Flags Rule). The deficiencies alleged by the SEC related to an April 2016 incident in which cyber intruders impersonating Voya registered representatives were able to request and receive a reset of representatives’ passwords for a proprietary web portal used to access Voya customer information. Through this scheme, the SEC alleged that the intruders accessed personally identifiable information of 5,600 Voya customers. Furthermore, the SEC alleged that in two instances the intruders used customer information to create online customer accounts and access and change additional customer information. In addition, according to the SEC, Voya failed to notify customers when online profiles linked to their accounts were created or edited.

The Safeguards Rule requires every broker-dealer and investment adviser registered with the SEC to adopt written policies and procedures that are reasonably designed to ensure, and protect against any anticipated threats to, the security and confidentiality of customer records and information. The Identity Theft Red Flags Rule requires brokerdealers, investment advisers, investment companies and others to develop and implement a written identity theft prevention program that is designed to detect, prevent, respond to and mitigate identity theft. The SEC alleged that Voya violated the Identity Theft Red Flags Rule because it did not review and update its identity theft prevention program in response to changes in risks to its customers or provide adequate training to its employees. According to an SEC press release, the SEC’s settlement with Voya is the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule.

Without admitting or denying the foregoing, in settlement of the allegations, Voya agreed to be censured, pay a $1 million penalty, and retain an independent consultant to evaluate its policies and procedures for compliance with, and to cease and desist from violations of, the Safeguards Rule and the Identity Theft Red Flags Rule.

The SEC order is available at: https://www.sec.gov/litigation/admin/2018/34-84288.pdf

© 2020 Vedder PriceNational Law Review, Volume VIII, Number 296


About this Author

Vedder Price P.C. attorneys provide a full range of services to a diverse financial services clientele. Attorneys practicing in the firm’s Investment Services Group are experienced in all aspects of investment company and investment adviser securities regulations, broker-dealer regulatory and compliance matters, derivatives and financial product matters, and ERISA and tax matters. Clients include mutual fund complexes, hedge and other private funds, money managers, broker-dealers, independent directors, and many other types of institutions such as banks, savings and loans,...