In the first case of its kind, charges have been filed against a firm for failure to meet the standards of identity theft the Red Flags Rule, which sets standards for the protection of customers against identity theft.
Des Moines broker-dealer, Voya Financial Advisors Inc. (VFA), has recently agreed to pay $1 million in penalties to settle charges related to a failure of cybersecurity policies and procedures that occurred when a successful cyber intrusion compromised thousands of customers’ personal information.
A majority of VFA’s workforce comprises independent contractors, a circumstance that was exploited by the cyber intruders. The hackers:
- Impersonated VFA contractors, calling the support line and requesting passwords be reset
- Obtained control of the contractors’ access credentials
- Used those access credentials to access the accounts of 5600 VFA customers and steal personal information
- Used the stolen personal information to create new online customer profiles
- Gained access to the account documents of 3 clients
The SEC claims that certain weaknesses in cybersecurity policies and procedures resulted in the failure to detect and terminate the intruders’ access, and that such weaknesses in cybersecurity at VFA had been previously exposed when past fraudulent activity targeting VFA customers occurred.
Appropriate corrective measures had apparently not been implemented.
The Red Flags Rule Demands Appropriate Policies and Procedures
The Safeguards Rule and the Identity Theft Red Flags Rule have been implemented to protect customers’ confidential information and protect them against attempts at identity theft, but VFA’s policies failed to meet these regulatory standards.
Furthermore, appropriate cybersecurity policies and procedures had not been applied to the large numbers of independent contractors employed by VFA.
“Customers entrust both their money and their personal information to their brokers and investment advisers. VFA failed in its obligations when its deficiencies made it vulnerable to cyber intruders accessing the confidential information of thousands of its customers,” said Stephanie Avakian, Co-Director of the SEC Enforcement Division.
Without admitting or denying fault, VFA agreed to a censure and to pay $1 million in penalties.
VFA will be accountable for retaining an independent consultant to review its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule and other related regulations.
Your Cybersecurity Setup Must Be Frequently Reviewed
Two takeaways from this case were succinctly stated by the Chief of the SEC Enforcement Division’s Cyber Unit, Robert A. Cohen:
“This case is a reminder to brokers and investment advisers (RIAs) that cybersecurity procedures must be reasonably designed to fit their specific business models. They also must review and update the procedures regularly to respond to changes in the risks they face.”
To ensure effective responses to cybersecurity threats, employees must be kept abreast of new developments and trained in the proper techniques to detect a breach in security and respond effectively.
Frequently-reviewed policies and relevant employee training are core components of a strong cybersecurity policy.
Due Diligence Required for Independent Contractors
In a third takeaway, it’s clear that adequate due diligence for independent contractors is a must. Cybersecurity controls for, and used by, independent contractors and third-party vendors is essential to ensure that bad actors don’t gain unimpeded access to an RIA’s electronic systems.
Core Compliance & Legal Services, Inc., can help RIAs with creating or updating cybersecurity policies and procedures, incident response plans, training programs, and due diligence procedures reasonably tailored to an RIA’s business — click here to let us know how we can help you with your cybersecurity issues or questions.