To help everyone get into the spooky Halloween Spirit, episode 23 features Core Compliance’s CEO Michelle Jacko discussing a recent enforcement action dealing with cybersecurity and cybersecurity breaches.
CCO Buzz: Hello and welcome back! To help everyone get into the spooky Halloween Spirit, episode 23 features Core Compliance’s CEO Michelle Jacko discussing a scary matter in 2018, cybersecurity breaches. But more so, she’ll be focusing on a recent SEC enforcement action with Voya Financial Advisors.
Michelle Jacko: Hello, this is Michelle Jacko, CEO of Core Compliance and Legal Services. And on this week’s CCO Buzz we will be focusing on the latest SEC enforcement activity in the matter of Voya Financial Advisors, which focuses on cybersecurity breaches. This particular matter was released on September 26, 2018, and importantly, fines the firm $1 million for its cybersecurity failures.
If you recall, it was almost 8 years ago that regulation SID, otherwise known as Identity Theft Red Flags Rule, went into effect and this case marks the first ever enforcement of that particular law.
Now what happened in the case of Voya, is that this Iowa-based broker-dealer and investment advisor had certain weaknesses within its internal controls system, which allowed cyber-intruders to gain access to personal identification of thousands of their customers.
And the fact patter really is intriguing.
So, during the period from 2013 to approximately October of 2017, Voya Financial Advisors gave its independent contractor representatives access to its online web portal to manage client accounts. During the year of 2016, there were numerous impersonators who had called into Voya Financial Advisor’s call center to reset the representatives’ passwords and they were successful at this endeavor.
The call center, actually provided temporary passwords to these alleged representatives, right on the phone. And in two of the cases, provided the username for that representative’s account. What that enabled these cyber-criminals to do, was to access personal details for over 5,600 of Voya Financial Advisors’ 13 million customers. They then created customer profiles using the information that they had learned and even gained access to some of the account documents for three of their clients.
While none of the customers lost money as a result of the attack, the SEC has taken a very strict stance that there were internal control failures, as a result of these cyber-criminals able to get so far along in this process. The commission found that Voya Financial Advisors failed to adopt policies and procedures to protect customer records and they also failed to adopt a written Identity Theft Protection Program, as required by regulations SP and SID.
It is important to note that Voya promptly addressed and reported this incident to the regulators when it occurred, and they did every attempt to notify individuals who were involved. But as a result of this action, Voya Financial Advisors was found to have deficient cybersecurity controls in place. In the SEC order, they were ordered to cease-and-desist, they were censured, they were provided with a $1 million penalty, and they were required to engage a compliance consultant for two years for implementation of remediation efforts.
Sometimes it is very difficult for a firm to evaluate its own internal controls to see when gaps may occur. In this particular case, the broker-dealer and the investment advisor were not necessarily aware of risk that were inherent within their cybersecurity program. In these types of situations, it may benefit the firm from hiring a compliance consultant to come in, to test the waters – so to speak, to see what needs to be updated in procedures to respond to changes and risks that face the business.
Core Compliance & Legal Services does offer this service. For more information, please contact us at (619) 278-0020 or at firstname.lastname@example.org.
CCO Buzz: Well that’s it for this week’s episode. If you’d like additional information, please check out our website at www.corecls.com. You can also follow us on Facebook, LinkedIn or Twitter @CoreCLS. Thank you and we hope you tune into next week’s episode of the CCO Buzz.