With near-daily reports of foreign hacking, exposure of personal information, and corporate data breaches, cybersecurity sits at the forefront in the minds of many, including the federal government and global regulators. This September, the White House announced a new National Cyber Strategy, outlining how the United States intends to respond to vulnerabilities created by a globally-connected cyberspace where individuals, organizations, and nations interact, advance their interests, and hold sensitive data. National Cyber Strategy of the United States of America, September 2018. The strategy committed “to identify[ing] gaps and potential mechanisms for bringing foreign based cyber criminals to justice” and raised the importance of collaborating with international law enforcement given the “borderless nature of cybercrime.” Id. at 11.

Concurrently with this strategy, recent actions by regulators in the U.S. and abroad have made clear that they expect companies to pull their weight by taking adequate cybersecurity measures. Also in September, the Department of Justice's Cybersecurity Unit issued revised guidance on how organizations should anticipate and respond to cybersecurity incidents. Best Practices for Victim Response and Reporting of Cyber Incidents, September 2018. Recent enforcement actions from U.S. and U.K. regulators highlight the risks companies face if their cybersecurity measures are deemed inadequate.

Voya Financial Advisors

On Sept. 26, 2018, the U.S. Securities and Exchange Commission (SEC) announced a $1 million settlement with registered broker-dealer/investment advisor Voya Financial Advisors (VFA) stemming from “failures in cybersecurity policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers.” Press Release, Securities and Exchange Commission, SEC Charges Firm with Deficient Cybersecurity Procedures (Sept. 26, 2018). The SEC charged Voya with violating the Safeguards Rule (17 C.F.R. §248.30(a)) and, for the first time in an enforcement action, the Identity Theft Red Flags Rule (17 C.F.R. §248.201). Both are designed to protect confidential customer information electronically held by financial institutions. The SEC found that VFA had violated these rules by failing “to adopt written policies and procedures reasonably designed to protect customer records and information.” In re Voya Financial Advisors (File No. 3-18840).

The circumstances of VFA's data breach are familiar. VFA employed a web portal through which its contractor representatives could access customers' personally identifiable information and manage accounts. In April 2016, hackers impersonating VFA contractor representatives called the VFA technical support line and asked to reset three representatives' web portal passwords. VFA previously had identified two of the phone numbers used by the imposters as associated with suspected fraudulent activity. Nonetheless, technical support reset the passwords, provided temporary passwords by phone, and, in two instances, also provided usernames to the imposters. VFA kept the accounts active even after one of the real contractor representatives informed the company that he had not requested a new password or changes to his account. Id.

The SEC found that VFA's cybersecurity measures did not “prevent the intruders from obtaining passwords and gaining access to VFA's portal by impersonating two additional representatives over the next several days.” It further blamed VFA's “deficient cybersecurity controls” for failure to timely “terminate the intruders' access to the three representatives' accounts.” Id. Though no known unauthorized customer transactions occurred, the intruders gained access to personal identifying information for at least 5,600 customers and account information for at least one.

The SEC determined that VFA had violated the Safeguards Rule by failing to maintain written policies and procedures that “(1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.” Id.; 17 C.F.R. §248.30(a). The SEC found that VFA's policies and procedures on resetting passwords, terminating web portal access, identifying high risk accounts, and creating customer profiles were not reasonably designed to meet these objectives, and that other VFA cybersecurity policies and procedures were not reasonably designed to apply to contractor representatives.

The SEC further determined that VFA had violated the Identity Theft Red Flags Rule's requirement that registered broker-dealers and investment advisers, inter alia, maintain an appropriate written Identity Theft Prevention Program “to detect, prevent, and mitigate identity theft.” The program's policies and procedures, which must be updated periodically, must identify and incorporate relevant red flags, and detect and respond appropriately when red flags occur. 17 C.F.R. § 248.201. In this case, “[a]lthough VFA adopted a written Identity Theft Prevention Program in 2009, VFA violated the Identity Theft Red Flags Rule because it did not review and update the Identity Theft Prevention Program in response to changes in risks to its customers or provide adequate training to its employees. In addition, the Identity Theft Prevention Program did not include reasonable policies and procedures to respond to identity theft red flags, such as those that were detected by VFA during the April 2016 intrusion.” In re Voya Financial Advisors (File No. 3-18840).

In reaching the settlement, the SEC credited VFA's prompt remedial efforts—including blocking the intruders' IP addresses, revising policies to prohibit providing temporary passwords by phone, and advising affected customers of the breach and offering free credit monitoring—and its hiring of a new Chief Information Security Officer to help prevent future security breaches. Id.

Tesco Bank

Across the pond, the Financial Conduct Authority (FCA) announced on Oct. 1, 2018 that it had fined Tesco Bank £16,400,000 (roughly $21,500,000) “for failing to exercise due skill, care and diligence in protecting its personal current account holders” against a November 2016 cyber-attack. Press Release, Financial Conduct Authority, FCA Fines Tesco Bank £16.4m for Failures in 2016 Cyber Attack (Oct. 1, 2018). Tesco's hackers are thought to have used an algorithm to generate new Tesco Bank debit card numbers, then use those “virtual cards” in thousands of unauthorized, contactless debit transactions. Although no customer data was stolen, the FCA determined that deficiencies in Tesco's “design of its debit card, its financial crime controls and in its Financial Crime Operations Team” left personal account holders vulnerable. It deemed the incident, which netted the hackers £2.26 million (roughly $3 million), “largely avoidable.” Final Notice to Tesco Personal Finance Plc (Ref. No. 186022).

It took approximately 21 hours from when the attack on Tesco started for notification to reach the appropriate Fraud Strategy Team. The Fraud Strategy Team promptly made internal changes to block the fraudulent transactions, but ultimately had to engage external experts to uncover the full extent of the breach. When news of the incident reached senior management, they took immediate action to block online and contactless transactions. The FCA determined that “[s]enior managements' actions stopped the fraudulent transactions. They updated customers regularly and deployed significant resources to return customers to their previous financial position.” Id. Although 80 percent of the fraudulent transactions were ultimately stopped, over 8,000 personal accounts had been affected, and customers experienced distress, embarrassment, and inconvenience from the messages they received about the attack and their inability to use their cards. Id.

The FCA found that Tesco Bank had violated FCA Principle 2, which requires a firm to “conduct its business with due skill, care and diligence.” Tesco ran afoul of this principle through defects in its debit card design and fraud detection rules and by failing to address known risks about the source of the fraudulent transactions. Id. The resulting £16.4 million penalty represented a 30 percent discount due to the bank's early settlement; otherwise, the penalty would have been over £23 million (over $30 million). Id.

In assessing the appropriate penalty, the FCA considered Tesco's remedial efforts—which included refunding fees and reimbursing losses—and its full cooperation in the subsequent investigation. Specifically, the bank “independently commissioned expert reports on the root cause of the incident and its financial crime controls. It provided the reports to the Authority and took prompt steps to examine and revise its processes and procedures consistent with the recommendations in the reports … . Tesco Bank also agreed to participate in a symposium to discuss the lessons it learned from the attack with banks, other regulators and law enforcement agencies.” Id.

Conclusion

Even as law enforcement agencies increase their efforts to combat cybersecurity incidents and hold perpetrators responsible, corporate targets remain at risk of regulatory action following a cybersecurity breach. The recent SEC and FCA actions against VFA and Tesco Bank highlight the need for companies to remain vigilant about ensuring adequate internal protections to avoid hefty fines and penalties and negative publicity. They also underscore the importance of a swift remedial response to any breach, both to stem the impact of the intrusion and to improve standing with regulators who may come calling.

Vera M. Kachnowski is of counsel and Peter J. Sluka is an associate at Schlam Stone & Dolan, where they specialize in white-collar defense and complex civil litigation.