SEC Settles Charges Against Firm for Inadequate Cybersecurity and Identity Theft Prevention Programs
On September 26, 2018, the SEC announced that it had settled administrative proceedings against Voya Financial Advisors, Inc., a dually registered broker-dealer and investment adviser, for the firm’s alleged failure to (1) adopt written policies and procedures reasonably designed to protect customer records and information, in violation of Rule 30(a) of Regulation S-P (the Safeguards Rule); and (2) develop and implement a written Identity Theft Prevention Program as required by Rule 201 of Regulation S-ID (the Identity Theft Red Flags Rule). The deficiencies alleged by the SEC related to an April 2016 incident in which cyber intruders impersonating Voya registered representatives were able to request and receive a reset of representatives’ passwords for a proprietary web portal used to access Voya customer information. Through this scheme, the SEC alleged that the intruders accessed personally identifiable information of 5,600 Voya customers. Furthermore, the SEC alleged that in two instances the intruders used customer information to create online customer accounts and access and change additional customer information. In addition, according to the SEC, Voya failed to notify customers when online profiles linked to their accounts were created or edited.
The Safeguards Rule requires every broker-dealer and investment adviser registered with the SEC to adopt written policies and procedures that are reasonably designed to ensure, and protect against any anticipated threats to, the security and confidentiality of customer records and information. The Identity Theft Red Flags Rule requires brokerdealers, investment advisers, investment companies and others to develop and implement a written identity theft prevention program that is designed to detect, prevent, respond to and mitigate identity theft. The SEC alleged that Voya violated the Identity Theft Red Flags Rule because it did not review and update its identity theft prevention program in response to changes in risks to its customers or provide adequate training to its employees. According to an SEC press release, the SEC’s settlement with Voya is the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule.
Without admitting or denying the foregoing, in settlement of the allegations, Voya agreed to be censured, pay a $1 million penalty, and retain an independent consultant to evaluate its policies and procedures for compliance with, and to cease and desist from violations of, the Safeguards Rule and the Identity Theft Red Flags Rule.
The SEC order is available at: https://www.sec.gov/litigation/admin/2018/34-84288.pdf