Subscribe to our mailing list

* indicates required







We seek to provide information, insights and direction that may enable the Financial Community to effectively and efficiently operate in a regulatory risk-free environment by curating content from all over the web.


Stay Informed with the latest fanancialish news.




Regulatory Sanctions

BD/IA Charged with Deficient Cybersecurity Procedures

October 9, 2018

by Howard Haykin


Voya Financial Advisors, a dually registered broker-dealer and investment advisor, agreed to pay a $1 mllion fine to settle SEC charges that its cybersecurity policies and procedures failed to prevent a cyber intrusion that compromised personal information of thousands of customers. In settling the charges, the firm also agreed to retain an independent compliance consultant to review its pols and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule and related regulations.


SEC FINDINGS   From at least 2013 through October 2017, Voya Financial Advisors (“VFA”) gave its independent Contractor Representatives (“Contractor Reps”) access to its brokerage customer and advisory client information through a proprietary web portal. Through the portal, the Contractor Reps accessed the personally identifiable information of VFA customers and managed the customers’ brokerage accounts. The portal was serviced and maintained by VFA’s parent company, Voya Financial, Inc. (“Voya”). The Contractor Reps generally used their own IT equipment and their own networks to access the portal. Voya’s service call centers serviced support calls from VFA’s customers and VFA’s contractor representatives.


Over a 6-day period in April 2016, one or more persons impersonating VFA Contractor Reps called VFA’s Technical Support line and requested a reset of 3 Reps’ passwords for the web portal used to access VFA customer information.


  • In 2 instances, the intruder(s) used phone numbers Voya had previously identified as associated with prior fraudulent activity. The prior activity also involved attempts to impersonate VFA Contractor Reps in calls to Voya’s technical and customer support lines. Voya’s technical support staff reset the passwords and provided temporary passwords over the phone, and on 2 of the 3 occasions, they also provided the Rep’s username.


  • Three hours after the 1st fraudulent reset request, the targeted Contractor Rep notified a technical support employee that he had received an email confirming the password change, but he had not requested such a change.


  • Although VFA took certain steps to respond to the intrusion, those steps did not prevent the intruders from obtaining passwords and gaining access to VFA’s portal by impersonating 2 additional Reps over the next several days. Nor did VFA terminate the intruders’ access to the 3 Reps’ accounts due to deficient cybersecurity controls and an erroneous understanding of the operation of the portal.


The intruders used the VFA Contractor Reps’ usernames and passwords to log in to the portal and gain access to personally identifiable information ("PII") for at least 5,600 of VFA’s customers, and subsequently to obtain account documents containing PII of at least one Voya customer. The intruders also used customer information to create new customer profiles, which gave them access to PII and account information of 2 additional customers. There have been no known unauthorized transfers of funds or securities from VFA customer accounts as a result of the attack.


WHAT WENT WRONG.    VFA violated the Safeguards Rule because its written policies and procedures to protect customer information and to prevent and respond to cybersecurity incidents were not reasonably designed to meet the objectives of the rule. Among other things, VFA’s pols and procedures with respect to resetting VFA Contractor Reps’ passwords, terminating web sessions in its proprietary gateway system for VFA Contractor Reps, identifying higher-risk Reps and customer accounts for additional security measures, and creation and alteration of customer profiles on Voya's database, were not reasonably designed. In addition, a number of VFA’s cybersecurity policies and procedures were not reasonably designed to be applied to its Contractor Reps.


VFA violated the Identity Theft Red Flags Rule because it did not review and update the Identity Theft Prevention Program in response to changes in risks to its customers or provide adequate training to its employees. In addition, the Identity Theft Prevention Program did not include reasonable pols and procedures to respond to identity theft red flags, such as those that were detected by VFA during the April 2016 intrusion.


VFA’S REMEDIAL EFFORTS.    In determining its sanctions, the SEC considered remedial acts undertaken by VFA. After the intrusion, VFA promptly undertook certain remedial acts, including: (i) blocking the malicious IP addresses; (ii) revising its user authentication policy to prohibit provision of a temporary password by phone; (iii) issuing breach notices to the affected customers, describing the intrusion and offering one year of free credit monitoring; and (iv) implementing effective MFA for VPro. Furthermore, in August 2017, VFA named a new Chief Information Security Officer, who is responsible for creating and maintaining cybersecurity policies and procedures and an incident response plan tailored to VFA’s business.


[For further details, click on SEC Order.]