A little-noticed consent decree entered into by the U.S. Securities and Exchange Commission earlier this year should be setting off alarm bells for financial firms and their boards of directors.
In a cease and desist order against Voya Financial Advisors, the investment advisory unit of Voya Financial, the SEC – for the first time – enforced its “Identity Theft Red Flags Rule” in punishing the firm for allegedly lackluster data security practices. The SEC charged that hackers were able to access sensitive client information including Social Security Numbers, account balances and even details of client investment accounts. The commission called out the company’s board of directors for failing to “administer and oversee” compliance with the rule.
Five years ago, the SEC adopted the red flags rule. It requires investment firms to pay attention to identity theft by developing and implementing a written program to “detect, prevent and mitigate” identity theft and fraud, and to provide “red flags” or other warning signs when hackers might be trying to steal customer information or customer identities. The rule also requires that a firm’s board of directors or senior leadership administer the program. But until recently, the SEC did not enforce the rule.
The SEC’s charges against Voya were so troubling that it might explain the agency’s decision to finally make use of its red flags rule. During a six-day window in 2016, cybercriminals impersonated Voya’s independent investment representatives – the largest segment of the firm’s work force – by calling the Voya help line and asking that their passwords be reset. Even though some of the telephone numbers used by the hackers were already flagged in Voya’s system as being associated with fraud, the callers still made it past security and were able to convince Voya’s help line to reset their passwords and provide new passwords over the phone, according to the SEC.
The intruders used the new passwords to gain access to the personal information of 5,600 customers, the SEC alleged, and then used the customer information to create new online customer profiles and identities and to pour through thousands of account records.
Without triggering a fraud alert, hackers were able to change a legitimate customer’s phone number and address of record, which meant account statements and confirmations would be re-routed from legitimate customers to the hackers. In several instances, the SEC said, hackers used a “@yopmail.com” address, a disposable email service that lets users create an email address, review incoming emails and then destroy everything.
Voya did not have its own cybersecurity staff but “outsourced” most of its data security functions to its parent company.
Voya had an identity theft program in place for nearly a decade before it was hacked but the program was never updated, nor was it approved by the firm’s board of directors or senior leaders, as is required. Instead, the program languished, was ignored by Voya’s security team and fell far below the requirements of the regulation.
Although Voya did not admit or deny liability in the SEC settlement, the commission deemed the firm’s violation of the red flags rule as “willful.”
“VFA’s [Voya Financial Advisors] board of directors or a designated member of VFA’s management did not administer and oversee the Identity Theft Prevention Program, as required by the Identity Theft Red Flags Rule,” concluded the SEC.
In the settlement, the SEC ordered that Voya clean up a laundry list of data security issues and also mandated that it engage a consultant to monitor its compliance with the red flags rule. This is also a first time the SEC has ordered use of an independent monitor to police compliance with the red flags rule.
It’s likely that few financial firms and even fewer boards are aware of the rule. Many firms and their leaders are familiar with the SEC’s general data security rule and its guidance to public companies about disclosing cybersecurity risks and data breaches but the red flags rule – for all its timeliness and importance – has flown under the proverbial radar screen.
- Voya serves as an important reminder that outsourcing the cybersecurity function – even if to an affiliate or parent organization – does not eliminate the risk of liability or responsibility for the function. Even with outsourcing, organizations are still well advised to exercise sufficient diligence to ensure that the vendor or service provider is living up to its contractual and legal obligations;
- Written policies and procedures, in and of themselves, won’t necessarily meet regulatory requirements. As the SEC made clear in Voya, data security policies and procedures must be developed and implemented to address a company’s risk profile and technology environment. General, boilerplate policies and procedures are unlikely to accomplish that end;
- While other regulatory agencies such as the Federal Trade Commission have made frequent use of compliance consultants and monitors, the Voya case is the first time the SEC has required a consultant to step into a data security case and monitor compliance. In fact, the consultant in Voya is required to report its compliance findings directly to the agency. Given the complexity of data security environments, it’s likely this isn’t the last time the agency will use a third-party to assist it in ensuring regulatory compliance.
- Even “dormant” regulations have their day and it’s advisable to understand in a comprehensive manner the privacy and data security regulations and requirements that apply to a particular organization, regardless if they are not regularly applied by regulators; and,
- It is critical to understand a board’s oversight responsibilities in data security including mandates like the Identity Theft Red Flags Rule, which require direct input from the board and corporate leadership.
Over the past few years, the SEC has made cyber a priority. Earlier this year, the agency updated guidance to public companies, telling them to beef up cybersecurity risk factors and data breach disclosures. And in April, the SEC pursued its first-ever cybersecurity enforcement action over the massive Yahoo! Inc. data breach after it was learned that the company sat on news for more than two years that hackers had made off with the personal information of more than 500 million users. Altaba Inc., the company that has since purchased Yahoo, was fined $35 million for the tardy disclosure.
With the SEC toughening its stance on data security issues, corporate leaders and board members should treat the Voya case as an object lesson and ensure that their identity theft programs are up-to-date and align with the particular cybersecurity risks that face their organization. Although Voya was only hit with a symbolic $1 million fine, it’s doubtful that the SEC will be as forgiving in the future.
Craig A. Newman is a partner with Patterson Belknap Webb & Tyler LLP, the New York law firm, and chair of its Privacy and Data Security Practice.
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.