SEC fines Voya $1M for cybersecurity failures
Almost eight years after the Identity Theft Red Flags rule went into effect, the SEC announced its first enforcement of the law.
The Des Moines, Iowa-based broker-dealer and investment advisor Voya Financial Advisors will pay $1 million to settle charges that it failed to adopt procedures that protected customer records and address weaknesses in its cybersecurity policy after cyber intruders gained access to the personal information of several thousand customers.
Over the course of six days in April 2016, cyber thieves impersonated Voya Financial Advisors contractors on the firm’s technical support line and requesting representatives’ passwords be reset for access to the proprietary web portal Voya used to share customer information with contractors.
The SEC order states that two of the phone numbers the impersonators used had already been identified by the company as linked to prior attempts to impersonate Voya Financial Advisor contractors. Nonetheless, Voya Financial’s support staff still reset their passwords and even provided the representative’s username.
While the affected contractors contacted the firm to report the suspicious account changes, the steps Voya took to end the intrusions did not work and the fraudsters were able to impersonate more contractors, the SEC order states.
Using the reset passwords, the thieves were able to access personal details for 5,600 of Voya’s 13 million customers. They then created new customer profiles using the information they’d gleaned from posing as contractors and even gained access to account documents for three clients. No customer lost money as a result of the attack, according to the SEC order and Voya Financial.
“Voya promptly addressed and reported the incident when it occurred two years ago, and we notified the individuals who were involved,” said Joe Loparco, Voya Financial’s vice president of communications in an emailed statement. “No personal information was downloaded from our systems, and there was no evidence of financial harm.”
The SEC’s order found that Voya Financial Advisors’ inability to end the intruders’ access comes from problems within its cybersecurity procedures, some of which had already been highlighted during previous fraudulent activity attempts. The firm’s cybersecurity procedures were also not applied to the systems used by its independent contractors, which comprise the largest portion of Voya’s workforce, the SEC order notes.
“Customers entrust both their money and their personal information to their brokers and investment advisers,” said Stephanie Avakian, co-director of the SEC Enforcement Division in a statement. “[Voya] failed in its obligations when its deficiencies made it vulnerable to cyber intruders accessing the confidential information of thousands of its customers.”
Voya Financial Advisors agreed to be censured and pay the $1 million penalty, but admitted no wrongdoing. It will, however, hire an independent consultant to review its procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule.
Loparco added that Voya Financial Advisors has since improved its cybersecurity procedures to prevent a similar situation from reoccurring.
“This case is a reminder to brokers and investment advisors that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Robert Cohen, chief of the SEC enforcement division’s cyber unit. “They also must review and update the procedures regularly to respond to changes in the risks they face.”
Businesses would do well to heed Cohen’s advice and evaluate their own cybersecurity policies and make improvements as experts in the cybersecurity space feel the SEC will be increasing their enforcement of these rules.
“We think the SEC is just scratching the surface,” said Sid Yenamandra, co-founder and CEO of Entreda, a cyber security firm that works with wealth management practices and brokerages. “In this particular case, Voya just happened to be the company that was flagged. But this could happen to any organization.”
Additional reporting by Tobias Salinger.