On September 26, the Securities and Exchange Commission (SEC) announced that it had brought its first enforcement action under Rule 201 of Regulation S-ID (the Identity Theft Red Flags Rule), against broker-dealer and investment adviser Voya Financial Advisors Inc. (VFA). The SEC’s Identity Theft Red Flags Rule was adopted in 2010, pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. The rule, as summarized by the SEC, requires certain SEC-regulated entities to adopt a written identity theft program that includes policies and procedures designed to accomplish four objectives: (1) “Identify relevant types of identity theft red flags”; (2) “Detect the occurrence of those red flags”; (3) “Respond appropriately to the detected red flags”; and (4) “Periodically update the identity theft program.” Those entities “also must provide for the administration of the program, including staff training and oversight of service providers.”
In VFA’s case, the SEC brought an enforcement action under Rule 30(a) of Regulation S-P (the Safeguards Rule) and the Identity Theft Red Flags Rule. The SEC Order stated that over six days in April 2016,
one or more persons impersonating VFA contractor representatives called VFA’s technical support line and requested a reset of three representatives’ passwords for the web portal used to access VFA customer information, in two instances using phone numbers Voya had previously identified as associated with prior fraudulent activity. The prior activity also involved attempts to impersonate VFA contractor representatives in calls to Voya’s technical and customer support lines. Voya’s technical support staff reset the passwords and provided temporary passwords over the phone, and on two of the three occasions, they also provided the representative’s username.
Thereafter, despite certain steps by VFA to respond to the intrusion, the intruders obtained passwords and gained access to VFA’s portal over the next several days. They impersonated two additional representatives’ accounts “due to deficient cybersecurity controls and an erroneous understanding of the operation of the portal.” The intruders used the VFA representatives’ usernames and passwords to log in to the portal and gain access to personal identifying information (PII) for at least 5,600 of VFA’s customers, and to obtain account documents containing PII of at least one Voya customer. The intruders “also used customer information to create new Voya.com customer profiles, which gave them access to PII and account information of two additional customers.”
The Order stated that VFA violated the Safeguards Rule
because its policies and procedures to protect customer information and to prevent and respond to cybersecurity incidents were not reasonably designed to meet these objectives. Among other things, VFA’s policies and procedures with respect to resetting VFA contractor representatives’ passwords, terminating web sessions in its proprietary gateway system for VFA contractor representatives, identifying higher-risk representatives and customer accounts for additional security measures, and creation and alteration of Voya.com customer profiles, were not reasonably designed. In addition, a number of VFA’s cybersecurity policies and procedures were not reasonably designed to be applied to its contractor representatives.
It also stated that VFA violated the Identity Theft Red Flags Rule because “it did not review and update the Identity Theft Prevention Program in response to changes in risks to its customers or provide adequate training to its employees, and because its Program “did not include reasonable policies and procedures to respond to identity theft red flags, such as those that were detected by VFA during the April 2016 intrusion.”
The Order specifically took note of VFA’s prompt undertaking of certain remedial acts after the intrusion. Those acts included “(a) blocking the malicious IP addresses; (b) revising its user authentication policy to prohibit provision of a temporary password by phone; (c) issuing breach notices to the affected customers, describing the intrusion and offering one year of free credit monitoring; and (d) implementing effective [multifactor authentication] for [VFA’s proprietary web portal].” It also named a new Chief Information Security Officer responsible for creating and maintaining cybersecurity policies and procedures and an incident response plan that was tailored to VFA’s business.”
As part of the resolution of the case, the Order stated that VFA had agreed to certain specific undertakings that included:
- Retention, at its own expense, of an independent compliance consultant (“Consultant”) to conduct a comprehensive review of Respondent’s policies and procedures the Safeguards Rule and the Identity Theft Red Flags Rule;
- Full cooperation with the Consultant;
- Within three months after September 26 (the date of the issuance of this Order), requiring the Consultant to submit to VFA and to the Commission staff a written Initial Report, which is to “describe the review performed [and], the conclusions reached,” and “include any recommendations deemed necessary to make the policies and procedures and their implementation comply with applicable requirements.”
- Adoption of all recommendations contained in the Initial Report within 90 days of the date of its issuance, unless within 30 days of the issuance of the Initial Report, VFA advises, in writing, the Consultant and the Commission staff of any recommendations that VFA considers to be unduly burdensome, impractical, or inappropriate.
- Within nine months after September 26, requiring the Consultant to complete its review and issue to VFA and the Commission staff a written Final Report that is to describe the review performed, the conclusions reached, the recommendations made by the Consultant, any recommendations not adopted by VFA pursuant to the preceding undertaking, any proposals made by Respondent, any alternative policies, procedures or systems adopted by VFA pursuant to the preceding undertaking, and how VFA is implementing the Consultant’s final recommendations.
In addition to those undertakings, VFA agreed to be censured and to pay a $1 million penalty.
Note: This case deserves wider attention from chief compliance officers and chief information security officers, and not only because it is the first SEC action under the Identity Theft Red Flags Rule. Since Dodd-Frank’s enactment, the SEC has repeatedly made clear – in part through its guidance on disclosure obligations and its Cybersecurity 1 and 2 Initiatives – that firms under its authority need to pay attention to their cybersecurity preparedness. In VFA’s case, even though the SEC order stated that there were no known unauthorized transfers of funds or securities from VFA customer accounts as a result of the attack, the number and variety of significant weaknesses that the SEC identified in its cybersecurity policies and procedures made VFA a prime candidate for the SEC’s first Identity Theft Red Flags Rule enforcement action.
Moreover, subsequent action by the SEC’s Enforcement Division sends an additional signal that the SEC will have little patience with companies that give their cybersecurity measures short shrift. On October 16, the SEC issued a report of an investigation by the Enforcement Division, in consultation with the Division of Corporation Finance and the Office of the Chief Accountant into whether certain public issuers (from numerous industries) “that were victims of cyber-related frauds may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.” Although the Commission determined not to pursue an enforcement action in these matters, it stated that it issued the Report of Investigation “to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws.” This report sends a strong signal that in the future, the Commission expects to use internal-controls requirements, either alone or in conjunction with the Safeguards Rule and the Identity Theft Red Flags Rule, as a basis for sanctioning companies that fail to establish and maintain robust cybersecurity programs.