SEC hits Voya for cyber security lapse with rarely invoked rulesReprints
The U.S. Securities and Exchange Commission’s announcement late last month of a $1 million fine against an investment firm for its cyber security policies and procedures, which invokes for the first time a 6-year-old identity theft rule, sends a clear message to investment firms about its emphasis on cyber security, say experts.
The SEC said in its settlement agreement that Des Moines, Iowa-based broker-dealer and investment adviser Voya Financial Advisors Inc. has violated the Safeguard rule, which requires every broker-dealer and investment adviser registered with the commission to adopt written policies and procedures that address the protection of customer records.
It said Voya had also violated the Identity Theft Red Flags rule, which requires certain financial institutions and creditors, including broker-dealers and investment advisers, to develop and implement a written identity theft prevention program.
Experts said this was the first time the SEC has invoked the 2013 identity theft rule, and only the third time it has brought an enforcement action involving the Safeguard rule, which was initially promulgated in 2000.
According to the SEC agreement with Voya, which was previously known as ING U.S., over six days in April 2016, one or more persons impersonating its contractor representatives called its technical support line and requested a reset of three representatives’ passwords for the web portal used to access its customers.
Voya was alerted to the problem just hours later, but according to the SEC filing did not prevent intruders from gaining access to its portal over the next several days.
There have been no known unauthorized transfers of funds or securities from Voya customer accounts because of the breach.
“This case is a reminder to brokers and investment advisers that cyber security procedures must be reasonably designed to fit their specific business models,” Robert A. Cohen, chief of the SEC Enforcement Division’s cyber unit, said in the statement. “They also must review and update the procedures regularly to respond to changes in the risks they face.”
Voya has neither admitted nor denied the SEC’s findings, according to the SEC statement. A company spokesman could not be reached for further comment.
Observers say a $1 million fine is not material for Voya, which reported $8.6 billion in 2017 revenues.
“Their policies and procedures weren’t terribly strong, since the intruders seem to be able to compromise them rather quickly, and although they were found out fairly quickly, it took them days to do anything,” said Thomas O. Gorman, a partner at Dorsey & Whitney LLP in Washington.
“That lack of follow up, I think, is really the main thing that precipitated” the outcome, he said.
There is “not a bright line” where companies are doing everything right or wrong, said Glen P. Barrentine, a partner with Winston & Strawn LLP in New York.
Most situations are complex, “and so the SEC ends up using discretionary judgment in terms of do they want to bring an enforcement action or not,” Mr. Barrentine said. The question is whether the SEC concluded the firm had fallen “far below the accepted level of behavior, or are they trying to send a message?”
The fine “shows a shift in the SEC’s recent cyber security focus of the past year or so,” which has “been emphasizing the importance of cyber security disclosures by public companies with respect to their material cyber risk,” said Joseph P. Facciponti, a partner with Murphy & McGonigle P.C. in New York, who is a former federal prosecutor who handled a wide range of financial and computer crimes.
The Safeguard rule mainly requires that companies such as Voya have appropriate safeguards in place to protect their customers’ information, said Shawn Tuma, a partner with Spencer Fane LLP in Dallas.
Voya did have a breach response plan in place, according to Mr. Tuma. With this case, the SEC is taking the issue a step further by not only requiring companies to have policies and procedures, but to implement them as well, he said.
“Companies need to take their cyber security more seriously. They need to have a risk management plan in place that helps them assess their risks and take action to mitigate those risks,” he said.
“What was really interesting here is there was no acknowledged harm to any investor,” said Sunil Shenoi, a partner with Kirkland & Ellis LLP in Chicago.
This was a big step for the SEC, because many companies have security incidents where there is a breach, and they consider themselves fortunate if no data is lost, Mr. Shenoi said.
“Companies now have to realize it’s not just a case of money loss,” but that they will be judged on the basis that there has been an incident, he said.
Erica Williams, a partner with Kirkland & Ellis in Washington, said while the cyber security guidance issued by the SEC earlier this year emphasized the importance of public companies disclosing incidents involving material risk, in this case “materiality was not an issue.”
The fine demonstrates that “when it comes to SEC registrants, the SEC is not hesitant to bring actions even for nonmaterial incidents,” she said.