- Voya Financial Advisors (VFA) violated SEC rules on safeguards and ID theft.
- Safeguards per Rule 30(a) of Reg S-P; ID theft under Rule 201 of Reg S-ID.
- First SEC enforcement charging violations of the identity theft red flags rule.
- Cyber intruders impersonated VFA contractors, over a six-day period in 2016.
- They called VFA’s support line requesting the contractors’ passwords be reset.
- Intruders used new passwords, to find personal data of 5,600 VFA customers.
- Data of 3 customers used to create online profile, access financial documents.
- Failure to stop access stemmed from weaknesses in cybersecurity procedures.
- Some of procedures had been exposed during prior similar fraudulent activity.
- Failed to apply procedure to the systems used by its independent contractors.
- Despite such independent contractors comprising largest part of its workforce.
- Portal was serviced and maintained by VFA's parent company, Voya Financial.
- VFA will pay $1mn penalty, retain independent consultant to evaluate policies.