On September 26, 2018, the SEC brought its first ever enforcement action for violations of Regulation S-ID (the “Identity Theft Red Flags Rule”), 17 C.F.R. § 248.201, in addition to violations of Regulation S-P, 17 C.F.R. 30(a) (the “Safeguards Rule”). Regulation S-ID and Regulation S-P apply to SEC-registered broker-dealers, investment companies, and investment advisers, and require those entities to maintain written policies and procedures to detect, prevent and mitigate identity theft, and to safeguard customer records and information, respectively. The SEC’s action against Voya Financial Advisors (“Voya”) cements the SEC’s focus on investment adviser and broker-dealer cybersecurity compliance, both in terms of its examination program—which referred the matter to Enforcement—as well as the Division of Enforcement’s Cyber Unit, which investigated and resolved the matter with Voya.
The SEC’s enforcement action against Voya arose out of an April 2016 “vishing” intrusion (voice phishing) that allowed one or more persons impersonating Voya representatives to gain access to personal identifying information of approximately 5,600 Voya’s customers. The SEC found that Voya’s policies and procedures designed to protect its customer’s personal identifying information were not reasonably designed, in violation of the Safeguards Rule. In addition, the SEC found that Voya violated the Identity Theft Red Flags Rule because (i) Voya had not updated its identity theft prevention program since 2009; (ii) Voya failed to conduct adequate identity theft training; and (iii) Voya’s identity theft prevention program did not include reasonable procedures designed to respond to and prevent an intrusion.
The SEC’s action against Voya was resolved through a settled administrative order, in which Voya neither admitted nor denied the SEC’s findings, but agreed to engage and follow the recommendations of an independent compliance consultant for two years, certify its compliance with the consultant’s recommendations, and pay a $1 million fine. Voya was also enjoined from future violations of Regulation S-P or Regulation S-ID and was censured by the SEC. The SEC noted that, in reaching the settlement, it considered the remedial actions that Voya promptly undertook following the attack.
As Robert Cohen, Chief of the SEC Enforcement Division’s Cyber Unit, stated in a related press release: “This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models. They also must review and update the procedures regularly to respond to changes in the risks they face.” In this sense, the SEC’s action is consistent with its recent emphasis on cybersecurity resilience and governance, as well as the protection of individual investors. It is additionally a reminder to all companies of the importance in thoroughly training relevant employees to mitigate similar phishing and vishing attacks.