The Securities and Exchange Commission has fined Voya Financial Advisors Inc $1 million to settle charges related to its alleged failures in cybersecurity policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers. This is the first SEC enforcement action charging violations of the identity theft red flags rule.
The SEC charged Voya Financial Advisors Inc., a Des Moines-based broker-dealer and investment adviser, with violating the safeguards rule and the identity theft red flags rule, which are designed to protect confidential customer information and customers from the risk of identity theft.
According to the SEC’s order, cyber intruders impersonated Voya contractors over a six-day period in 2016 by calling the company’s support line and requesting that the contractors’ passwords be reset. The intruders used the new passwords to gain access to the personal information of 5,600 Voya customers.
The intruders created new online customer profiles and obtained unauthorized access to account documents for three customers. The SEC claims that weaknesses in Voya’s cybersecurity procedures, some of which had been exposed during prior similar fraudulent activity, resulted in Voya’s failure to terminate the intruders’ access.
The regulators also noted that Voya failed to apply its procedures to the systems used by its independent contractors, who make up the largest part of its workforce.
“This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Robert Cohen, chief of the SEC enforcement division’s cyber unit. “They also must review and update the procedures regularly to respond to changes in the risks they face.”
Without admitting or denying the SEC’s findings, Voya agreed to be censured, pay a $1 million penalty, and will retain an independent consultant to evaluate its policies and procedures.