FYI: Charges Brought for Cybersecurity Failures

FYI: The SEC has brought settled charges against Voya Financial Advisors, Inc. (VFA), a dual-registered BD/IA, for cybersecurity failures. Here are some salient facts, according to the SEC’s order:

• VFA gave its independent contractor representatives access to its brokerage and advisory customer information through a proprietary web portal through which the reps accessed customer information and managed their brokerage accounts. The reps generally used their own IT equipment and their own networks to access the portal. Voya’s service call centers serviced support calls from VFA’s customers and VFA’s reps.

o Over a 6-day period, imposters impersonating VFA reps were successful in getting Voya’s technical support line to reset 3 passwords allowing them access to customer information and accounts.

o In 2 of those instances, the imposters used phone numbers that Voya had previously identified as associated with prior fraudulent activity that also involved impersonating reps. Despite this, the technical support staff reset the passwords and provided temporary passwords over the phone in all 3 cases. In 2 of the cases, they also provided the rep’s username.

o In 1 case, the imposter’s password reset request was detected by the real rep, who contacted technical support. However, that did not prevent the intruders from obtaining passwords and gaining access to VFA’s portal by impersonating 2 additional representatives over the next several days.

• The intruders used the VFA contractor representatives’ usernames and passwords to log in to the portal and gain access to personal information for at least 5,600 of VFA’s customers, and subsequently to obtain account documents containing personal information of at least 1 Voya customer. The intruders also used customer information to create new customer profiles, which gave them access to personal information and account information of 2 additional customers.

According to the SEC order, there have been no known unauthorized transfers of funds or securities from VFA customer accounts as a result of the intrusions.

Importantly, VFA’s independent contractor reps were licensed as registered BD representatives or otherwise qualified to effect transactions in securities on behalf of VFA. Some were also investment adviser representatives of VFA. Under these circumstances, the SEC treated the reps as ‘controlled by’ the broker-dealer, and, therefore, as associated persons of the broker-dealer.

These incidents and compliance program failures were charged as violations of the Safeguards Rule and the Identity Theft Red Flags Rule of Reg S-P. Sanctions included a censure, cease-and-desist and a $1 million civil penalty.

SEC’s order:

* * *