SEC Charges Firm With Deficient Cybersecurity Procedures

Washington D.C., Sept. 26, 2018 —

The Securities and Exchange Commission today announced that a Des Moines-based broker-dealer and investment adviser has agreed to pay $1 million to settle charges related to its failures in cybersecurity policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers.

The SEC charged Voya Financial Advisors Inc. (VFA) with violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft.  This is the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule.

According to the SEC’s order, cyber intruders impersonated VFA contractors over a six-day period in 2016 by calling VFA’s support line and requesting that the contractors’ passwords be reset. The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers.  The SEC’s order finds that the intruders then used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers.  The order also finds that VFA’s failure to terminate the intruders’ access stemmed from weaknesses in its cybersecurity procedures, some of which had been exposed during prior similar fraudulent activity.  According to the order, VFA also failed to apply its procedures to the systems used by its independent contractors, who make up the largest part of VFA’s workforce.

“Customers entrust both their money and their personal information to their brokers and investment advisers,” said Stephanie Avakian, Co-Director of the SEC Enforcement Division.  “VFA failed in its obligations when its deficiencies made it vulnerable to cyber intruders accessing the confidential information of thousands of its customers.”

“This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Robert A. Cohen, Chief of the SEC Enforcement Division’s Cyber Unit.  “They also must review and update the procedures regularly to respond to changes in the risks they face.”

Without admitting or denying the SEC’s findings, VFA agreed to be censured and pay a $1 million penalty, and will retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule and related regulations.

The SEC’s investigation was conducted by Arsen Ablaev of the Cyber Unit and Paul Montoya in the Chicago Regional Office.  The case was supervised by Kathryn Pyszka in the Chicago Regional Office and Mr. Cohen.  The examination that led to the investigation was conducted by the Chicago Regional Office with the assistance of the National Examination Program.  The examination team included Kristine Baker, Stacey Gohl, Thu Bao Ta, David Mueller, Daniel Dewaal and Emilie Abate.


Bill cementing cybersecurity agency at DHS heads to Trump's desk

A bill that will solidify the Department of Homeland Security’s (DHS) role as the main federal agency overseeing civilian cybersecurity is heading to President Trump's desk.

The House on Tuesday unanimously passed a bill to establish a new cybersecurity agency, known as the Cybersecurity and Infrastructure Security Agency (CISA), that is the same stature as other units within DHS, such as Secret Service or FEMA.

The bill will also rebrand DHS’ main cybersecurity unit, known as National Protection and Programs Directorate (NPPD), as the Cybersecurity and Infrastructure Protection Agency. That means that the headquarters will be a full-fledged operational component of DHS.


The legislation passed the Senate in a unanimous consent vote last month. The Senate had made some changes to an earlier version of the House-passed bill, which required it to be sent back to the lower chamber for final approval.

Members in the House passed the bill Tuesday in the first series of votes following last week's midterm elections.

Top DHS officials have been pushing for the bill to pass, arguing it would better communicate their mission to the private sector and help DHS recruit top cyber talent.

“Today’s vote is a significant step to stand up a federal government cybersecurity agency,” said DHS Secretary Kirstjen Nielsen said in a statement. “The cyber threat landscape is constantly evolving, and we need to ensure we’re properly positioned to defend America’s infrastructure from threats digital and physical. It was time to reorganize and operationalize NPPD into the Cybersecurity and Infrastructure Security Agency."

NPPD's top cyber official, Christopher Krebs -- who would become the cyber agency's director under this bill -- echoed Nielsen.

“Elevating the cybersecurity mission within the Department of Homeland Security, streamlining our operations, and giving NPPD a name that reflects what it actually does will help better secure the nation’s critical infrastructure and cyber platforms," Krebs said in a statement. "The changes will also improve the Department’s ability to engage with industry and government stakeholders and recruit top cybersecurity talent.”

NPPD's top cyber official, Christopher Krebs -- who would become the cyber agency's director under this bill -- echoed Nielsen.

The bill, which stalled during the Senate earlier this year, is responsible for securing federal networks and protecting critical infrastructure from cyber and physical threats. 

NPPD has seen its responsibilities rapidly expand in the decade since its inception, most recently taking the lead on engaging with states to protect digital election infrastructure from sabotage following Russian interference in the 2016 election.