[BreachExchange] SEC fines Voya $1M for cybersecurity failures

Thu Sep 27 22:38:26 EDT 2018

https://www.financial-planning.com/news/sec-fines-voya-financial-advisors-1-million-for-cybersecurity-failures

Almost eight years after the Identity Theft Red Flags rule went into
effect, the SEC announced its first enforcement of the law.

The Des Moines, Iowa-based broker-dealer and investment advisor Voya
Financial Advisors will pay $1 million to settle charges that it
failed to adopt procedures that protected customer records and address
weaknesses in its cybersecurity policy after cyber intruders gained
access to the personal information of several thousand customers.

Over the course of six days in April 2016, cyber thieves impersonated
Voya Financial Advisors contractors on the firm’s technical support
line and requesting representatives’ passwords be reset for access to
the proprietary web portal Voya used to share customer information
with contractors.

The SEC order states that two of the phone numbers the impersonators
used had already been identified by the company as linked to prior
attempts to impersonate Voya Financial Advisor contractors.
Nonetheless, Voya Financial’s support staff still reset their
passwords and even provided the representative’s username.

While the affected contractors contacted the firm to report the
suspicious account changes, the steps Voya took to end the intrusions
did not work and the fraudsters were able to impersonate more
contractors, the SEC order states.

Using the reset passwords, the thieves were able to access personal
details for 5,600 of Voya’s 13 million customers. They then created
new customer profiles using the information they’d gleaned from posing
as contractors and even gained access to account documents for three
clients. No customer lost money as a result of the attack, according
to the SEC order and Voya Financial.

“Voya promptly addressed and reported the incident when it occurred
two years ago, and we notified the individuals who were involved,”
said Joe Loparco, Voya Financial’s vice president of communications in
an emailed statement. “No personal information was downloaded from our
systems, and there was no evidence of financial harm.”

The SEC’s order found that Voya Financial Advisors’ inability to end
the intruders’ access comes from problems within its cybersecurity
procedures, some of which had already been highlighted during previous
fraudulent activity attempts. The firm’s cybersecurity procedures were
also not applied to the systems used by its independent contractors,
which comprise the largest portion of Voya’s workforce, the SEC order
notes.

“Customers entrust both their money and their personal information to
their brokers and investment advisers,” said Stephanie Avakian,
co-director of the SEC Enforcement Division in a statement. “[Voya]
failed in its obligations when its deficiencies made it vulnerable to
cyber intruders accessing the confidential information of thousands of
its customers.”

Voya Financial Advisors agreed to be censured and pay the $1 million
penalty, but admitted no wrongdoing. It will, however, hire an
independent consultant to review its procedures for compliance with
the Safeguards Rule and Identity Theft Red Flags Rule.

Loparco added that Voya Financial Advisors has since improved its
cybersecurity procedures to prevent a similar situation from
reoccurring.
“This case is a reminder to brokers and investment advisors that
cybersecurity procedures must be reasonably designed to fit their
specific business models,” said Robert Cohen, chief of the SEC
enforcement division’s cyber unit. “They also must review and update
the procedures regularly to respond to changes in the risks they
face.”

Businesses would do well to heed Cohen’s advice and evaluate their own
cybersecurity policies and make improvements as experts in the
cybersecurity space feel the SEC will be increasing their enforcement
of these rules.

“We think the SEC is just scratching the surface,” said Sid
Yenamandra, co-founder and CEO of Entreda, a cyber security firm that
works with wealth management practices and brokerages. “In this
particular case, Voya just happened to be the company that was
flagged. But this could happen to any organization.”