SEC charges Voya Financial Advisors with deficient cyber-security procedures

In the Securities and Exchange Commission's first enforcement action for violations of the Identity Theft Red Flags Rule, Voya Financial Advisors has agreed to pay $1 million to settle charges for having deficient cyber-security policies and procedures concerning a cyber intrusion that compromised the personal information of thousands of customers.

The SEC on Sept. 26 charged the broker-dealer and investment adviser with violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft. According to the SEC’s order, cyber intruders impersonated VFA contractors over a six-day period in 2016 by calling VFA’s support line and requesting that the contractors’ passwords be reset. The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers.

The SEC’s order finds that the intruders then used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers. The order also finds that VFA’s failure to terminate the intruders’ access stemmed from weaknesses in its cyber-security procedures, some of which had been exposed during prior similar fraudulent activity.

According to the order, VFA also failed to apply its procedures to the systems used by its independent contractors, who make up the largest part of VFA’s workforce. “This case is a reminder to brokers and investment advisers that cyber-security procedures must be reasonably designed to fit their specific business models,” said Robert Cohen, Chief of the SEC Enforcement Division’s Cyber Unit. “They also must review and update the procedures regularly to respond to changes in the risks they face.”

Without admitting or denying the SEC’s findings, VFA agreed to be censured and pay a $1 million penalty and will retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule and related regulations.