SEC Settles Charges Against Firm for Inadequate Cybersecurity and Identity Theft Prevention Programs
Tuesday, October 23, 2018
Lack of written cybersecurity policy results in violations
Print Mail Download i

On September 26, 2018, the SEC announced that it had settled administrative proceedings against Voya Financial Advisors, Inc., a dually registered broker-dealer and investment adviser, for the firm’s alleged failure to (1) adopt written policies and procedures reasonably designed to protect customer records and information, in violation of Rule 30(a) of Regulation S-P (the Safeguards Rule); and (2) develop and implement a written Identity Theft Prevention Program as required by Rule 201 of Regulation S-ID (the Identity Theft Red Flags Rule). The deficiencies alleged by the SEC related to an April 2016 incident in which cyber intruders impersonating Voya registered representatives were able to request and receive a reset of representatives’ passwords for a proprietary web portal used to access Voya customer information. Through this scheme, the SEC alleged that the intruders accessed personally identifiable information of 5,600 Voya customers. Furthermore, the SEC alleged that in two instances the intruders used customer information to create online customer accounts and access and change additional customer information. In addition, according to the SEC, Voya failed to notify customers when online profiles linked to their accounts were created or edited.

The Safeguards Rule requires every broker-dealer and investment adviser registered with the SEC to adopt written policies and procedures that are reasonably designed to ensure, and protect against any anticipated threats to, the security and confidentiality of customer records and information. The Identity Theft Red Flags Rule requires brokerdealers, investment advisers, investment companies and others to develop and implement a written identity theft prevention program that is designed to detect, prevent, respond to and mitigate identity theft. The SEC alleged that Voya violated the Identity Theft Red Flags Rule because it did not review and update its identity theft prevention program in response to changes in risks to its customers or provide adequate training to its employees. According to an SEC press release, the SEC’s settlement with Voya is the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule.

Without admitting or denying the foregoing, in settlement of the allegations, Voya agreed to be censured, pay a $1 million penalty, and retain an independent consultant to evaluate its policies and procedures for compliance with, and to cease and desist from violations of, the Safeguards Rule and the Identity Theft Red Flags Rule.

The SEC order is available at: https://www.sec.gov/litigation/admin/2018/34-84288.pdf

© 2024 Vedder Price

Current Public Notices

Current Legal Analysis

More from Vedder Price

New York Governor Vetoes Bill Banning Non-Compete Agreements
by: Jonathan A. Wexler
SEC’s Enforcement Director Comments on CCO Liability, Self-Reporting and Cooperation
by: Nathaniel Segal , Jacob C. Tiedt
SEC Staff Issues 2024 Examination Priorities
by: Nathaniel Segal , Jacob C. Tiedt
SEC Adopts Significant Amendments to Beneficial Ownership Reporting Requirements
by: Nathaniel Segal , Jacob C. Tiedt
SEC Adopts Securities Lending Disclosure Requirement
by: Nathaniel Segal , Jacob C. Tiedt
The Deal That Ended the SAG-AFTRA Strike
by: Labor and Employment Practice
Ringing in the New California Laws
by: Michael A. Wahlander
FTC and DOJ Publish 2023 Merger Guidelines
by: Brian K. McCalmon
The Corporate Transparency Act December 2023 Update
by: Joel R. Thielen
New York City Bans Employers from Creating Height and Weight Requirements
by: Jonathan A. Wexler

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins