SEC Charges Firm with Cyber and Identity Theft Prevention Failures

Regulatory Briefs
Written By Jonathan Hurd, CAMS

The Securities and Exchange Commission (“SEC”) settled charges against Voya Financial Advisors Inc. (VFA”), a dual FINRA member broker-dealer and SEC registered investment adviser for its failure in adopting written policies and procedures designed to protect customer information and protect customers from the risk of identity theft. VFA’s cybersecurity failures led to a cyber intrusion that compromised the personal information for thousands of VFA customers.

The SEC charged VFA with violating the Safeguards Rule (“Regulation S-P”) and the Identity Theft Red Flags Rule (“Regulation S-ID”), which are designed to protect confidential customer information and protect customers from the risk of identity theft.

VFA failed to adopt written policies and procedures reasonably designed to protect customer records and information, as well as failed to develop and implement a written Identity Theft Prevention Program, the SEC states.

According to the SEC’s order, cyber intruders impersonated VFA contractors over a six-day period in 2016, by calling VFA’s support line and requesting contractors’ passwords be reset.  The cyber intruders used the new passwords to gain access to the personal information of 5,600 VFA customers.  The SEC’s order states that the cyber intruders used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers.  Further, the SEC order states that VFA failed to terminate the cyber intruders’ access stemming from weaknesses in its cybersecurity procedures, some of which had been exposed during a prior similar fraudulent activity.

This is the SEC’s first enforcement action charging violations of the Identity Theft Red Flags Rule.

Without admitting or denying the SEC’s findings, VFA agreed to be censured and pay a $1million penalty and will retain an independent consultant to evaluate its policies and procedures for compliance with the Regulation S-P and Identity Theft Flags Rule and related regulations.

Please contact an ARG Analyst with any questions regarding this matter. We encourage you to read the SEC order which may be accessed at: https://www.sec.gov/litigation/admin/2018/34-84288.pdf

Jonathan Hurd, CAMS

CEO, COMPLIANCE AND RISK MANAGEMENT

Previous

September 2018 Disciplinary Actions
Next

SEC Staff Issues Guidance on Third-Party Record keeping Services