On September 26, 2018, the SEC announced that it settled charges against a broker-dealer/investment adviser related to its failures to adopt and implement adequate cybersecurity policies and procedures. The failures were identified in connection with a cyber intrusion that compromised personal information of thousands of customers. The firm agreed to be censured and pay a $1 million penalty.
Over a six-day period in 2016, cyber intruders impersonated Voya Financial Advisors Inc. (VFA) contractors by calling VFA’s support line and requesting that the contractors’ passwords be reset. The intruders used the new passwords to gain access to the personal information of VFA customers. The SEC’s order finds that the intruders then used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers. The order also finds that VFA’s failure to terminate the intruders’ access stemmed from weaknesses in its cybersecurity procedures.
The SEC charged VFA with violating Rule 30(a) of Regulation S-P (Safeguards Rule), which requires every broker-dealer and every investment adviser registered with the SEC to adopt written policies and procedures that are reasonably designed to safeguard customer records and information. The SEC also charged VFA with violating Rule 201 of Regulation S-ID (Identity Theft Red Flags Rule), which requires registered broker-dealers and investment advisers that offer or maintain covered accounts to develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing covered account.
VFA agreed to be censured and pay a $1 million penalty, and will retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule and related regulations.