On September 26, 2018, the U.S. Securities and Exchange Commission (“SEC”) announced that Voya Financial Advisors Inc. (“VFA”), a Des Moines-based broker-dealer and investment advisor, agreed to pay $1 million to settle charges related to an April 2016 data breach that gave unauthorized access to the personally identifiable information of at least 5,600 VFA customers.
According to the SEC Order, the charges arise out of VFA’s failure to: (1) “adopt written policies and procedures reasonably designed to protect customer records and information, in violation of” the Safeguards Rule (Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a))) and (2) “develop and implement a written Identity Theft Prevention Program as required by” the Identity Theft Red Flags Rule” (Rule 201 of Regulation S-ID (17 C.F.R. § 248.201)). Notably, the SEC’s action does not allege any unauthorized transfers from VFA customer accounts due to the breach.
As part of the settlement, in addition to the monetary penalty, VFA has agreed to retain an independent consultant to monitor the firm’s compliance policies and procedures in connection with the Safeguards Rule and Identity Theft Red Flags Rule.
Even though this is the first SEC enforcement action under the Identity Theft Red Flags Rule, and just the third involving the Safeguards Rule (the previous two actions were brought in 2014 and 2016, respectively), SEC scrutiny of broker-dealer and investment advisor cybersecurity has long been on the horizon. In September 2017, the SEC announced the creation of a Cyber Unit within the Enforcement Division in order to police cyber-related misconduct. In February of this year, the SEC issued new guidance to public companies on how to disclose cybersecurity risks and incidents to investors. In April, the SEC settled claims with Altaba Inc. (formerly Yahoo! Inc.) to the tune of $35 million in connection with Yahoo’s failure to timely disclose a 2014 data breach of hundreds of millions of user accounts. This action is consistent with the SEC’s increased focus on cybersecurity and serves as a reminder to companies that the SEC will likely continue to pursue actions under the Safeguards Rule and Identity Theft Red Flags Rule.