SEC Fine BD $1mn Cybersecurity

On Sep. 26, SEC fined Voya $1mn for  client data cyber intrusion.

  • Voya Financial Advisors (VFA) violated SEC rules on safeguards and ID theft.
  • Safeguards per Rule 30(a) of Reg S-P; ID theft under Rule 201 of Reg S-ID.
  • First SEC enforcement charging violations of the identity theft red flags rule.

Alleged Violations

  • Cyber intruders impersonated VFA contractors, over a six-day period in 2016.
  • They called VFA’s support line requesting the contractors’ passwords be reset.
  • Intruders used new passwords, to find personal data of 5,600 VFA customers.
  • Data of 3 customers used to create online profile, access financial documents.
  • Failure to stop access stemmed from weaknesses in cybersecurity procedures.
  • Some of procedures had been exposed during prior similar fraudulent activity.
  • Failed to apply procedure to the systems used by its independent contractors.
  • Despite such independent contractors comprising largest part of its workforce.
  • Portal was serviced and maintained by VFA's parent company, Voya Financial.


  • VFA will pay $1mn penalty, retain independent consultant to evaluate policies.