A recent SEC Order should be a reminder to registered entities, including small- and medium-sized firms, that the SEC is monitoring the reasonableness of their cybersecurity policies and procedures, and that it may take action in the event of a breach, even in the absence of economic harm.

The SEC’s $1 million settlement with broker-dealer and registered investment adviser Voya Financial Advisors Inc. followed the theft of personally identifiable information of thousands of Voya’s customers.  The Order is the first settled SEC action to include a violation of the Identity Theft Red Flags Rule (Rule 201 of Reg S-ID), which Dodd-Frank assigned to the SEC in 2011.  The case also extends the SEC’s existing pattern of bringing actions under the Safeguards Rule (Rule 30(a) of Reg S-P) against registered entities—including R.T. Jones Capital Management and Craig Scott Capital—that the SEC views as having failed to take reasonable measures to protect their data against evolving cyber threats.

As part of the settlement, Voya agreed to retain an independent consultant to review and make recommendations regarding Voya’s policies and procedures for compliance with Reg S-ID and Reg S-P.

According to the Order, over six days in April 2016, attackers exploited gaps in Voya’s technical support procedures to obtain usernames and passwords for Voya’s consultant web portal, through which they accessed and stole Voya’s confidential customer data.

  • The attackers, posing as Voya consultants, called Voya’s technical support line three times and obtained temporary passwords for the consultants’ portal accounts. On two of these three occasions, the support staff also provided the associated account usernames, against company policy.
  • Voya had known it was a target for “vishing” (voice phishing) attempts, and had maintained a list of numbers associated with prior fraudulent activity. But Voya did not require its support staff to check that list when providing password information.  As a result, they failed to detect that the attackers had twice called using a number previously flagged for fraudulent activity.
  • Hours after the first call, the real account holder notified Voya that he had received an unprompted password reset confirmation email. The issue was escalated to Voya’s Incident Response Team.
  • But before Voya had a chance to alert the rest of its staff and tell them not to provide temporary passwords by phone, the attackers had called again and obtained a second temporary password using the same method. And then, despite the alert and the instructions given, the attackers obtained yet another password from the support line soon after.
  • Meanwhile, even after identifying the malicious activity, including the attackers’ IP addresses, Voya’s Incident Response Team did not take steps to block access to affected accounts, to terminate ongoing web sessions, or block traffic from the attackers’ IP addresses.

Using the portal login information, the attackers were able to access at least 5,600 Voya customers’ personally identifiable information, including the full Social Security or government-issued identification numbers for at least 2,000 customers.  The Order notes that there were no known unauthorized transfers of funds or securities from customer accounts as a result of the attack.

The SEC found that Voya had willfully violated both the Safeguards Rule and the Identity Theft Red Flags Rule.  The Safeguards Rule generally requires broker-dealers and investment advisers registered with the SEC to adopt written policies and procedures that are reasonably designed to safeguard customer records and information.  The Red Flags Rule requires certain registered broker-dealers and investment advisers to develop and implement a written identity theft prevention program that is designed to detect, prevent and mitigate identity theft in connection with the opening of certain accounts.

The SEC found that Voya violated the Safeguards Rule because its cybersecurity policies and procedures to protect customer information and to respond to cybersecurity incidents were not reasonably designed to meet those purposes.  Among other technical and operational deficiencies, the SEC noted that Voya did not have reasonable practices with respect to resetting contractor representatives’ passwords, terminating contractor web sessions in the portal, applying controls to consultant accounts, identifying high-risk accounts for additional security measures, or blocking IP addresses associated with known malicious activity.

The SEC found that Voya violated the Red Flags Rule because it did not review and update its 2009 Identity Theft Prevention Program in response to changes in the threat environment and did not provide adequate training to its employees.  The SEC also found that Voya’s program did not include reasonable policies and procedures to respond to identity theft red flags, such as those that were detected in the course of the April 2016 intrusion.

In the Voya Order, the SEC is once again putting the industry on notice that it is monitoring the reasonableness of firms’ cybersecurity policies and procedures, that it will assess those programs using a highly fact-specific standard, and that it will expect them to respond effectively to the ever-evolving threats faced by the industry.  Registered entities, including broker-dealers and investment advisers, should consider revisiting their programs related to the protection of personally identifiable information and other sensitive data (including, where applicable, Identity Theft Prevention Programs) on a regular basis.

The Davis Polk Cyber Portal is now available to assist our clients in their efforts to maintain compliance with their cybersecurity regulatory obligations.  If you have questions about the Portal, please contact avi.gesser@davispolk.com.