In a landmark settlement case, the Securities and Exchange Commission (SEC) fined Voya Financial Advisors (VFA) for violations of the Identity Theft Red Flag Rules required of financial institutions. Though they never admitted or denied the SEC's findings, VFA has agreed to pay $1m to settle the charges for its failure to establish policies and procedures to protect against cyber intrusion.
The Red Flag Rules became effective as of January 1, 2008, though the Federal Trade Commission extended the deadline for compliance through the end of 2010. The SEC Order issued on September 26, 2018, resulted from events that took place over the course of six days in 2016 on VFA’s proprietary web portal.
One or more fraudsters was able to obtain passwords and gain access to VFA's portals by impersonating its contractors. Malicious actors successfully requested password resets via VFA’s support line, which then allowed them to create new passwords and access the personal information of thousands of the company’s customers. With that customer information, the fraudsters then created new customer profiles.
The rule, also known as the Identity Theft Rules, states “Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account."
The SEC found that VFA failed “to adopt written policies and procedures reasonably designed to protect customer records and information.” In addition, the dually registered broker-dealer and investment adviser failed to both develop and implement a written program to protect against identity theft.
Though VFA took steps to respond to the intrusion, the company did not successfully terminate the intruder’s access to the accounts, “due to deficient cybersecurity controls and an erroneous understanding of the operation of the portal.”
This is the first SEC enforcement action to charge an organization with violating the Identity Theft Red Flag Rules and will likely set a precedent moving forward.
“Customers entrust both their money and their personal information to their brokers and investment advisers,” said Stephanie Avakian, co-director of the SEC Division of Enforcement, in a press release. “VFA failed in its obligations when its deficiencies made it vulnerable to cyber intruders accessing the confidential information of thousands of its customers.”