SEC fines Voya $1M for cybersecurity failures

Almost eight years after the Identity Theft Red Flags rule went into effect, the SEC announced its first enforcement of the law.

Processing Content

The Des Moines, Iowa-based broker-dealer and investment advisor Voya Financial Advisors will pay $1 million to settle charges that it failed to adopt procedures that protected customer records and address weaknesses in its cybersecurity policy after cyber intruders gained access to the personal information of several thousand customers.

Over the course of six days in April 2016, cyber thieves impersonated Voya Financial Advisors contractors on the firm’s technical support line and requesting representatives’ passwords be reset for access to the proprietary web portal Voya used to share customer information with contractors.

Voya Financial Advisors President Tom Halloran says the firm is inclined to seek an acquisition in order to add a digital platform to its offerings.
Traders work beneath monitors displaying Voya Financial Inc. signage on the floor of the New York Stock Exchange (NYSE) in New York, U.S., on Friday, Oct. 28, 2016. U.S. stocks declined after House Representative Jason Chaffetz said the Federal Bureau of Investigation has reopened its investigation into Hillary Clinton's use of an unauthorized e-mail server. Photographer: Michael Nagle/Bloomberg
Michael Nagle/Bloomberg

The SEC order states that two of the phone numbers the impersonators used had already been identified by the company as linked to prior attempts to impersonate Voya Financial Advisor contractors. Nonetheless, Voya Financial’s support staff still reset their passwords and even provided the representative’s username.

While the affected contractors contacted the firm to report the suspicious account changes, the steps Voya took to end the intrusions did not work and the fraudsters were able to impersonate more contractors, the SEC order states.

Using the reset passwords, the thieves were able to access personal details for 5,600 of Voya’s 13 million customers. They then created new customer profiles using the information they’d gleaned from posing as contractors and even gained access to account documents for three clients. No customer lost money as a result of the attack, according to the SEC order and Voya Financial.

“Voya promptly addressed and reported the incident when it occurred two years ago, and we notified the individuals who were involved,” said Joe Loparco, Voya Financial’s vice president of communications in an emailed statement. “No personal information was downloaded from our systems, and there was no evidence of financial harm.”

The SEC’s order found that Voya Financial Advisors’ inability to end the intruders’ access comes from problems within its cybersecurity procedures, some of which had already been highlighted during previous fraudulent activity attempts. The firm’s cybersecurity procedures were also not applied to the systems used by its independent contractors, which comprise the largest portion of Voya’s workforce, the SEC order notes.

“Customers entrust both their money and their personal information to their brokers and investment advisers,” said Stephanie Avakian, co-director of the SEC Enforcement Division in a statement. “[Voya] failed in its obligations when its deficiencies made it vulnerable to cyber intruders accessing the confidential information of thousands of its customers.”

Voya Financial Advisors agreed to be censured and pay the $1 million penalty, but admitted no wrongdoing. It will, however, hire an independent consultant to review its procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule.

Loparco added that Voya Financial Advisors has since improved its cybersecurity procedures to prevent a similar situation from reoccurring.
“This case is a reminder to brokers and investment advisors that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Robert Cohen, chief of the SEC enforcement division’s cyber unit. “They also must review and update the procedures regularly to respond to changes in the risks they face.”

Businesses would do well to heed Cohen’s advice and evaluate their own cybersecurity policies and make improvements as experts in the cybersecurity space feel the SEC will be increasing their enforcement of these rules.

“We think the SEC is just scratching the surface,” said Sid Yenamandra, co-founder and CEO of Entreda, a cyber security firm that works with wealth management practices and brokerages. “In this particular case, Voya just happened to be the company that was flagged. But this could happen to any organization.”

Additional reporting by Tobias Salinger.


For reprint and licensing requests for this article, click here.
Cyber Security Cyber attacks Fraud prevention SEC regulations SEC
MORE FROM FINANCIAL PLANNING

Women pursuing career milestones like opening their own RIAs could fall into traps based on those comparisons — or use them as inspiration and research.

July 1
6 Min Read
Association of African American Financial Advisors CEO Sheena Gray spoke before a record 300 attendees last week at the organization's annual Women's Impact Initiative Network Conference.

A survey found that a majority of investors disagreed with requiring scaling back to semiannual reporting for public companies.

July 1
2 Min Read
chart visualization

Negotiating with hospitals, investing in HSAs early, and having a plan for emergencies are all ways experts said advisors can help clients navigate the complicated health care landscape when clients are in debt.

July 1
4 Min Read
chart visualization

Clients can maximize profits by paying the tax bill outside of the conversion — and more reminders for advisors before they guide clients through Roth conversions.

June 30
5 Min Read
chart visualization

Whether thinking about an RICP, RMA, CPRC, CRPC or another retirement credential, experts say it's important for financial advisors to consider the needs of clients and prospects and their current level of specialization.

June 30
5 Min Read
Conferrals of new RICP marks jumped 33% in 2025, boosting ranks of designees above 11,000

Future advisors, who are a hot commodity for an industry facing a talent shortage, want face time, mentorship and to work for firms that align with their values.

June 30
3 Min Read
Business people handshake outdoor