Headquarters of the U.S. Securities and Exchange Commission Headquarters of the U.S. Securities and Exchange Commission.
|

This story was updated at 6:00 pm Thursday E.D.T. Sept. 27 with comment from Voya Financial Advisors Inc.

Voya Financial Advisors Inc. has agreed to pay $1 million to the U.S. Securities and Exchange Commission to settle charges connected with an April 2016 cyber intrusion that compromised the personal information of more than 5,600 customers at the broker-dealer and investment adviser.

The SEC said the settlement announced Wednesday was the first connected with charges filed under the Safeguards Rule and the Identity Theft Red Flags Rule adopted by the SEC in 2013, which requires financial services companies to adopt policies and procedures to prevent data theft.

According to the SEC order, Voya failed “to adopt written policies and procedures reasonably designed to protect customer records and information” in violation of the Identity Theft Red Flags Rule.

The company, a Minnesota corporation based in Des Moines, Iowa, didn't admit or deny wrongdoing under the settlement. Voya Financial Advisors has more than 13 million customers and $11 billion in assets under management, according to the SEC documents.

“This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Robert A. Cohen, chief of the SEC Enforcement Division's cyber unit in a news release. “They also must review and update the procedures regularly to respond to changes in the risks they face.”

A company spokesman for Voya Financial Advisors said in an emailed statement Thursday afternoon: “We are pleased to have resolved this matter. After the intrusion, Voya promptly remediated and reported the incident and we notified the individuals who were involved. No personal information was taken electronically from our systems, and there was no evidence of financial harm. We have also enhanced our measures so that a similar situation does not reoccur.” The statement continued, “Voya takes fraud and security matters seriously, and we invest significantly each year in our programs to protect the accounts and personal information of customers. We also know that independent advisors and third parties who work with us are increasingly the targets of fraud. As part of our efforts, Voya continues to work with and support these partners to help protect their identity and client information.”

Joseph Facciponti, a shareholder at Murphy & McGonigle, who is a former federal prosecutor in the Cybercrimes Division of the U.S. Attorney's Office for the Southern District of New York, said in a statement: “When it comes to cybersecurity, the SEC has recently appeared more concerned with ensuring that public companies disclose material cyber risks and incidents and less concerned with policing whether financial services firms' cybersecurity programs were up to the task of protecting customer data from hackers. However, this enforcement action demonstrates that the SEC is still prepared to impose significant penalties where it believes that firms could have done more to protect themselves from cyberattacks.”

The SEC order stated that from at least 2013 through 2017 Voya gave its independent contractor representatives access to its brokerage customer and advisory client information through a web portal that contractor representatives used to access the personally identifiable information of customers and manage their accounts. The contractors used their own computers, IT equipment and networks to access the portals.

Over six days in April 2016, one or more persons impersonating VFA independent contractor representatives called the company's technical support line and requested resets of three representatives' passwords for the portal, in two cases using phone numbers that previously had been used in fraudulent activity, which also involved attempts to impersonate Voya contractors, the order said. They then used the information to create fake new online customer profiles that they used to obtain unauthorized access to account documents for three customers. The SEC said, however, there haven't been any known unauthorized transfer of funds or securities from customer accounts resulting from the intrusion.

According to the SEC order, VFA's registered representatives outnumber its 1,000 employees by almost 3.8 -1 at more than 1,200 locations in the United States providing brokerage and investment advisory services to customers whose account information containing personally identifiable information (PII) they regularly collect and access.

The SEC order stated Voya cybersecurity procedures were applicable to independent contractors including those working out of remote offices, but “were not reasonably designed to apply to the systems they used.”

Contractors' personal computers were supposed to be scanned for antivirus software, encryption and updates, for example, but they were scheduled for only three times a year and the representatives themselves often did not comply, the SEC order stated.

The SEC settlement required Voya to undertake remedial actions including hiring an independent compliance consultant.