The cyber intruders impersonated VFA contractors over a six-day period in 2016. (Photo: Getty)
The Securities and Exchange Commission said Wednesday that a Des Moines-based broker-dealer and investment advisor has agreed to pay $1 million to settle charges for cybersecurity failures that led to a cyber intrusion that compromised thousands of customers' personal information.
The SEC charged Voya Financial Advisors Inc. with violating Regulation S-P or the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft.
VFA failed to adopt written policies and procedures reasonably designed to protect customer records and information, as well as failing to develop and implement a written Identity Theft Prevention Program, the SEC states.
This is the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule, the securities regulator said.
“This case is a reminder to brokers and investment advisors that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Robert Cohen, chief of the SEC Enforcement Division's Cyber Unit. “They also must review and update the procedures regularly to respond to changes in the risks they face.”
According to the SEC order, VFA gave its independent contractor representatives access to its brokerage customer and advisory client information through a proprietary web portal.
“Through the portal, the contractor representatives accessed the personally identifiable information of VFA customers and managed the customers' brokerage accounts,” the order states.
The portal was serviced and maintained by VFA's parent company, Voya Financial Inc.
The cyber intruders impersonated VFA contractors over a six-day period in 2016 by calling VFA's support line and requesting that the contractors' passwords be reset, the SEC states.
The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers.
The SEC's order finds that the intruders then used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers.
The order also finds that VFA's failure to terminate the intruders' access stemmed from weaknesses in its cybersecurity procedures, some of which had been exposed during prior similar fraudulent activity. According to the order, VFA also failed to apply its procedures to the systems used by its independent contractors, who make up the largest part of VFA's workforce.
“Customers entrust both their money and their personal information to their brokers and investment advisors,” said Stephanie Avakian, co-director of the SEC Enforcement Division. “VFA failed in its obligations when its deficiencies made it vulnerable to cyber intruders accessing the confidential information of thousands of its customers.”
Without admitting or denying the SEC's findings, VFA agreed to be censured and pay a $1 million penalty, and will retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule and related regulations.
READ MORE at BenefitsPRO:
Complete your profile to continue reading and get FREE access to BenefitsPRO, part of your ALM digital membership.
Your access to unlimited BenefitsPRO content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking benefits news and analysis, on-site and via our newsletters and custom alerts
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the property casualty insurance and financial advisory markets on our other ALM sites, PropertyCasualty360 and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
Melanie Waddell
Melanie is senior editor and Washington bureau chief of ThinkAdvisor. Her ThinkAdvisor coverage zeros in on how politics, policy, legislation and regulations affect the investment advisory space. Melanie’s coverage has been cited in various lawmakers’ reports, letters and bills, and in the Labor Department’s fiduciary rule in 2024. In 2019, Melanie received an Honorable Mention, Range of Work by a Single Author award from @Folio. Melanie joined Investment Advisor magazine as New York bureau chief in 2000. She has been a columnist since 2002. She started her career in Washington in 1994, covering financial issues at American Banker. Since 1997, Melanie has been covering investment-related issues, holding senior editorial positions at American Banker publications in both Washington and New York. Briefly, she was content chief for Internet Capital Group’s EFinancialWorld in New York and wrote freelance articles for Institutional Investor. Melanie holds a bachelor’s degree in English from Towson University. She interned at The Baltimore Sun and its suburban edition.
