Voya Financial Pays $1 Million to Settle SEC Charges for Deficient Cybersecurity
The U.S. Securities and Exchange Commission said the settlement announced Wednesday was the first connected with charges filed under the Safeguards Rule and the Identity Theft Red Flags Rule adopted by the SEC in 2013, which requires financial services companies to adopt policies and procedures to prevent data theft.
September 27, 2018 at 02:56 PM
5 minute read
|
This story was updated at 6:00 pm Thursday E.D.T. Sept. 27 with comment from Voya Financial Advisors Inc.
Voya Financial Advisors Inc. has agreed to pay $1 million to the U.S. Securities and Exchange Commission to settle charges connected with an April 2016 cyber intrusion that compromised the personal information of more than 5,600 customers at the broker-dealer and investment adviser.
The SEC said the settlement announced Wednesday was the first connected with charges filed under the Safeguards Rule and the Identity Theft Red Flags Rule adopted by the SEC in 2013, which requires financial services companies to adopt policies and procedures to prevent data theft.
According to the SEC order, Voya failed “to adopt written policies and procedures reasonably designed to protect customer records and information” in violation of the Identity Theft Red Flags Rule.
The company, a Minnesota corporation based in Des Moines, Iowa, didn't admit or deny wrongdoing under the settlement. Voya Financial Advisors has more than 13 million customers and $11 billion in assets under management, according to the SEC documents.
“This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Robert A. Cohen, chief of the SEC Enforcement Division's cyber unit in a news release. “They also must review and update the procedures regularly to respond to changes in the risks they face.”
A company spokesman for Voya Financial Advisors said in an emailed statement Thursday afternoon: “We are pleased to have resolved this matter. After the intrusion, Voya promptly remediated and reported the incident and we notified the individuals who were involved. No personal information was taken electronically from our systems, and there was no evidence of financial harm. We have also enhanced our measures so that a similar situation does not reoccur.” The statement continued, “Voya takes fraud and security matters seriously, and we invest significantly each year in our programs to protect the accounts and personal information of customers. We also know that independent advisors and third parties who work with us are increasingly the targets of fraud. As part of our efforts, Voya continues to work with and support these partners to help protect their identity and client information.”
Joseph Facciponti, a shareholder at Murphy & McGonigle, who is a former federal prosecutor in the Cybercrimes Division of the U.S. Attorney's Office for the Southern District of New York, said in a statement: “When it comes to cybersecurity, the SEC has recently appeared more concerned with ensuring that public companies disclose material cyber risks and incidents and less concerned with policing whether financial services firms' cybersecurity programs were up to the task of protecting customer data from hackers. However, this enforcement action demonstrates that the SEC is still prepared to impose significant penalties where it believes that firms could have done more to protect themselves from cyberattacks.”
The SEC order stated that from at least 2013 through 2017 Voya gave its independent contractor representatives access to its brokerage customer and advisory client information through a web portal that contractor representatives used to access the personally identifiable information of customers and manage their accounts. The contractors used their own computers, IT equipment and networks to access the portals.
Over six days in April 2016, one or more persons impersonating VFA independent contractor representatives called the company's technical support line and requested resets of three representatives' passwords for the portal, in two cases using phone numbers that previously had been used in fraudulent activity, which also involved attempts to impersonate Voya contractors, the order said. They then used the information to create fake new online customer profiles that they used to obtain unauthorized access to account documents for three customers. The SEC said, however, there haven't been any known unauthorized transfer of funds or securities from customer accounts resulting from the intrusion.
According to the SEC order, VFA's registered representatives outnumber its 1,000 employees by almost 3.8 -1 at more than 1,200 locations in the United States providing brokerage and investment advisory services to customers whose account information containing personally identifiable information (PII) they regularly collect and access.
The SEC order stated Voya cybersecurity procedures were applicable to independent contractors including those working out of remote offices, but “were not reasonably designed to apply to the systems they used.”
Contractors' personal computers were supposed to be scanned for antivirus software, encryption and updates, for example, but they were scheduled for only three times a year and the representatives themselves often did not comply, the SEC order stated.
The SEC settlement required Voya to undertake remedial actions including hiring an independent compliance consultant.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllAttorneys 'On the Move': Structured Finance Attorney Joins Hunton Andrews Kurth; Foley Adds IP Partner
4 minute readNY Civil Liberties Legal Director Stepping Down After Lengthy Tenure
Former Top Aide to NYC Mayor Is Charged With Bribery Conspiracy
Trending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250