On September 26, in the Securities and Exchange Commission’s (“SEC”) first enforcement action for violations of Regulation S-ID (the “Identity Theft Red Flags Rule”), Voya Financial Advisors Inc. (“VFA”), an SEC-registered investment adviser and broker-dealer, has agreed to settle charges relating to failures in its cybersecurity policies and procedures concerning a cyber-intrusion that compromised thousands of customers’ personal information. VFA agreed to pay a $1 million penalty as well as retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule. For a copy of the SEC order, visit here.

The SEC alleged that over a six-day period in 2016, certain persons impersonated VFA independent contractor representatives, calling the VFA support line and asking that the contractors’ passwords be reset. In two cases, the intruders used phone numbers that had been used in prior fraudulent activity. The intruders then used the new passwords to access the personal information of at least 5,600 VFA customers and obtain access to account documents for three customers. The SEC noted that there were not any known unauthorized transfers of funds or securities from VFA customer accounts attributable to the breach.

The SEC order found that VFA’s policies and procedures were not reasonably designed to protect customer information, prevent and respond to cybersecurity incidents, nor reasonably designed to be applied to its independent contractor representatives. Although VFA did have an identity theft prevention program in place, the SEC found that such program did not include sufficient policies and procedures to respond to identity theft red flags and that VFA did not review and update the program to account for changes in risks to its customers.

In addition to violations of the Identity Theft Red Flags Rule, the SEC charged VFA with violating Regulation S-P (the “Safeguards Rule”). These rules are intended to detect, prevent and mitigate identity theft and protect the confidential information of customers.

Investment adviser clients are reminded that under the Regulation S-P (the “Safeguards Rule”), every SEC-registered investment adviser must adopt written policies and procedures that address administrative, technical and physical precautions to detect, prevent and mitigate identity theft and protect client information. In addition, under the SEC’s Identity Theft Red Flags Rule, certain regulated entities (including SEC-registered investment advisers) are required to effectuate a written identity theft program containing policies and procedures designed to:

  • Identify relevant types of identity theft red flags;
  • Detect such red flags;
  • Respond appropriately to the detected red flags; and
  • Periodically update the identity theft program.

Clients should regularly review their cybersecurity procedures and confirm that they are both tailored to their specific businesses (including use of consultants) and that their procedures are regularly revised to take into account any changes in the risks that the businesses face.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.