Cybersecurity: Firm Pays $1 Million to Settle Deficient Procedure Charges
A dually-registered adviser/broker-dealer agreed on September 26 to pay the SEC $1 million in fines as part of a settlement over cybersecurity violations. The settlement with Des Moines-based Voya Financial Advisers (VFA) involved violations of two agency cybersecurity-related rules, as well as a 2016 incident in which hackers gained access to personally identifiable information for at least 5,600 of the firm’s customers.
The settlement is notable not only because it involves cybersecurity, a hot topic in the asset management community, and the large amount of the settlement, but because the agency charged the firm with violating both a regulation known as the Safeguard Rule and another called the Identity Theft Red Flags Rule. It was the first time the SEC brought a settlement involving violations of the latter rule.
The hackers gained access to the VFA files by impersonating VFA contractors over a six-day period in April 2016, according to the settlement order. They called VFA’s support line and requested that the contractors’ passwords be reset, then used the new passwords to gain access to the personal information of the 5,600 VFA customers, the SEC said. Once they gained access the cyber intruders then allegedly used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers.
“The order finds that VFA’s failure to terminate the intruders’ access stemmed from weaknesses in its cybersecurity procedures, some of which had been exposed during prior similar fraudulent activity,” the agency said. “VFA also failed to apply its procedures to the systems used by its independent contractors, who make up the largest part of VFA’s workforce.”
The settlement “shows that the SEC has teeth around cyber and it reinforces that a cyber breach will not go unnoticed by regulators,” said ACA Aponix partner Raj Bakhru. “We’ve seen numerous cyber exams initiated by the SEC due to a breach. The agency expects advisers and broker/dealers to take action to protect against social engineering attacks like the one that caused this particular breach, as well as to have prepared incident response procedures and strong execution.”
“By now there should not be a firm in the country that does not recognize cybersecurity as a critical business risk,” said Shartsis Friese partner Jahan Raissi. “This case is a reminder that it is also a regulatory risk.”
Further, he said, with Voya “the SEC is announcing that it is not enough to have general and ill-fitting policies. The order is quite detailed in the technical failings of the firm’s policies and shows that the SEC is capable of and willing to assess the specific security features a firm employs, as well as the effectiveness of the response once an intrusion is detected. The Commission also was critical of the fact that Voya’s policies were not tailored to the specifics of its actual operations, did not change as the operations of the firm changed, and in some instances were not actually followed. Firms should expect to see the heightened scrutiny of cybersecurity issues to continue with this Commission and its focus on matters impacting retail investors.”
“This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business needs,” said SEC Division of Enforcement Cyber Unit chief Roger Cohen. “They also must review and update the procedures regularly to respond to changes in the risks they face.”
Voya and the settlement
VFA, which has about 13 million customers and approximately $11 billion in assets under management, not only received a $1 million civil money penalty, it was censured and agreed to retain a compliance consultant. The agency credited the firm for taking remedial steps, including blocking the malicious IP addresses; revising its user authentication policy to prohibit provision of a temporary password by phone; issuing breach notices to the affected customers, describing the intrusion and offering one year of free credit monitoring; and implementing multi-factor authentication for its web portal.
The firm also, in August 2017 hired a new chief information security officer responsible for creating and maintaining cybersecurity policies and procedures, as well as an incident response plan, tailored to VFA’s business.
In a prepared statement, a Voya spokesperson said that “we are pleased to have resolved this matter. Voya promptly addressed and reported the incident when it occurred two years ago, and we notified the individuals who were involved. No personal information was downloaded from our systems, and there was no evidence of financial harm. We have also enhanced our measures so that a similar situation does not reoccur.”
“Voya takes fraud and security matters seriously, and we invest significantly each year in our programs to protect the accounts and personal information of customers,” the spokesperson said. “We also know that independent advisors and third parties who work with us are increasingly the targets of fraud. As part of our efforts, Voya continues to work with and support these partners to help protect their identity and client information.”
The rules and the violations
Here’s a breakdown of the two rules that Voya allegedly violated, as well as how the SEC said Voya violated them:
- Rule 30(a) of Regulation S-P (the Safeguards Rule). This Rule requires that Commission-registered advisers and broker-dealers adopt written policies and procedures to address administrative, technical and physical safeguards to protect customer records and information, according to the SEC. They must be “reasonably designed” to do three things: 1) ensure the security and confidentiality of customer records and information, 2) protect against any anticipated threats or hazards to the security or integrity of customer records and information, and 3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. The Rule was violated by Voya because the firm‘s policies and procedures “were not reasonably designed to meet these objectives,” the SEC said. As examples, it noted that the firm’s policies and procedures with regard to resetting contractor representatives’ passwords, terminating web sessions in its proprietary gateway system for contractor representatives, identifying higher-risk representatives and customer accounts for additional security measures, and creation and alteration of Voya.com customer profiles were “not reasonably designed.”
- Rule 201 of Regulation S-ID (the Identity Theft Red Flag Rule). Commission-registered advisers and broker-dealers, as well as certain other financial institutions, are required under this Rule to develop and implement a written identity theft prevention program designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account or any existing such account, according to the agency. Such a program, the SEC said, must include reasonable policies and procedures to identify relevant red flags for the covered accounts and incorporate them into the program, detect the red flags that have been incorporated, respond appropriately to any such red flags detected under the program, and ensure that the program is updated periodically to reflect changes in risks to customers from identity theft. VFA violated this Rule, the SEC said, “because it did not review and update the identity theft prevention program as needed, or provide adequate training to employees.