• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

SEC Brings First Enforcement Action for Violation of the Identity Theft Red Flags Rule

September 27, 2018 By Cybersecurity Preparedness & Response Team and Securities Litigation Group

On September 26, 2018, the SEC brought its first ever enforcement action for violations of Regulation S-ID (the “Identity Theft Red Flags Rule”), 17 C.F.R. § 248.201, in addition to violations of Regulation S-P, 17 C.F.R. 30(a) (the “Safeguards Rule”). Regulation S-ID and Regulation S-P apply to SEC-registered broker-dealers, investment companies, and investment advisers, and require those entities to maintain written policies and procedures to detect, prevent and mitigate identity theft, and to safeguard customer records and information, respectively. The SEC’s action against Voya Financial Advisors (“Voya”) cements the SEC’s focus on investment adviser and broker-dealer cybersecurity compliance, both in terms of its examination program—which referred the matter to Enforcement—as well as the Division of Enforcement’s Cyber Unit, which investigated and resolved the matter with Voya.

The SEC’s enforcement action against Voya arose out of an April 2016 “vishing” intrusion (voice phishing) that allowed one or more persons impersonating Voya representatives to gain access to personal identifying information of approximately 5,600 Voya’s customers. The SEC found that Voya’s policies and procedures designed to protect its customer’s personal identifying information were not reasonably designed, in violation of the Safeguards Rule. In addition, the SEC found that Voya violated the Identity Theft Red Flags Rule because (i) Voya had not updated its identity theft prevention program since 2009; (ii) Voya failed to conduct adequate identity theft training; and (iii) Voya’s identity theft prevention program did not include reasonable procedures designed to respond to and prevent an intrusion.

The SEC’s action against Voya was resolved through a settled administrative order, in which Voya neither admitted nor denied the SEC’s findings, but agreed to engage and follow the recommendations of an independent compliance consultant for two years, certify its compliance with the consultant’s recommendations, and pay a $1 million fine. Voya was also enjoined from future violations of Regulation S-P or Regulation S-ID and was censured by the SEC. The SEC noted that, in reaching the settlement, it considered the remedial actions that Voya promptly undertook following the attack.

As Robert Cohen, Chief of the SEC Enforcement Division’s Cyber Unit, stated in a related press release: “This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models. They also must review and update the procedures regularly to respond to changes in the risks they face.” In this sense, the SEC’s action is consistent with its recent emphasis on cybersecurity resilience and governance, as well as the protection of individual investors. It is additionally a reminder to all companies of the importance in thoroughly training relevant employees to mitigate similar phishing and vishing attacks.

Filed Under: Cybersecurity, Enforcement, Security Breach Tagged With: cybersecurity, Regulatory Enforcement, Securities and Exchange Commission

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Federal Court Rules Cyber Forensic Report Is Not Protected Under Attorney-Client Privilege Or Work Product Doctrine
  • Financial Regulatory Agencies Announce Proposed Rule Requiring Notice of Computer Security Incidents
  • Brexit Trade Agreement Provides a Temporary Solution for Companies Transferring Personal Data from the EEA to the UK
  • UK ICO Publishes New Data Sharing Code
  • SolarWinds Hack: Unparalleled Supply Chain Attack Results in Potential Compromise of Private and Public Sector Organizations
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy