Five years ago, the Securities and Exchange Commission adopted a rule requiring investment firms to pay attention to identity theft. It never enforced it — until late last month.
In a cease-and-desist order against Voya Financial Advisors, the investment advisory unit of Voya Financial, the commission used the “Identity Theft Red Flags Rule” to censure the firm for allowing hackers to access social security numbers, account balances and even details of client investment accounts.
The S.E.C.’s action should set off alarm bells for every financial firm and board of directors under the agency’s watch. Most companies are probably not in compliance with the rule and, given the agency’s increased focus on cybersecurity, they should move quickly to address any issues.
The rule — originally part of the Dodd-Frank regulatory overhaul — calls for investment firms to maintain an up-to-date program for preventing identity theft, which should provide “red flags” or other warning signs when hackers might be trying to steal customer information. The rule also requires that a firm’s board of directors or senior leadership team administer the program.
The S.E.C.’s charges in the Voya case were so egregious that it might explain why the agency finally dusted off the rule. In fact, Voya’s violation was deemed “willful” by the commission.
For six days in 2016, cybercriminals called the firm’s helpline and impersonated Voya’s independent investment representatives — the staff members who make up the largest segment of the firm’s work force. Even though Voya’s system flagged some of the telephone numbers used by the hackers as potentially fraudulent, the callers were able to convince Voya’s helpline staff to reset their passwords and provide new ones over the phone, according to the S.E.C.
The intruders used the new passwords to gain access to the personal information of 5,600 customers and create new online customer profiles.
The hackers were able to change customer phone numbers and addresses so account statements and confirmations would be rerouted without triggering a fraud alert. In several instances, hackers used “@yopmail.com,” a disposable email service that lets users create temporary email address, to review incoming emails and then destroy everything, without automated verification messages being sent to the real customer.
Surprisingly, Voya had an identity theft program in place for nearly a decade before the incident, but the program languished. It was never updated and fell far below the requirements of the regulation. It was not approved by the firm’s board of directors or senior leaders, as is required, and was ignored by Voya’s security team.
In the settlement — in which Voya did not admit or deny the charges — the S.E.C. ordered the company to clean up a long list of data security issues. The agency for the first time also mandated a consultant to monitor the company’s compliance with the red flags rule.
It’s likely that few companies and even fewer boards are aware of the rule. Many are familiar with the S.E.C.’s general data safe security regulation and its guidance to public companies about disclosing cybersecurity risks and data breaches. But the red flags rule — for all its timeliness and importance — has been ignored.
Over the past few years, the S.E.C. has made cybersecurity a priority. Earlier this year, it updated its guidance to public companies, telling them to reduce cybersecurity risk factors and improve data breach disclosures. And in April, the S.E.C. pursued its first-ever cybersecurity enforcement action against Yahoo after the company failed to disclose for more than two years that hackers had made off with the personal information of more than 500 million users. Altaba, the company that has since purchased Yahoo, was fined $35 million for the tardy disclosure.
It shouldn’t be surprising, then, that the S.E.C. is toughening its stance on data security issues. Although the S.E.C. only hit Voya with a symbolic $1 million fine, it’s doubtful that the agency will be as forgiving in the future. The penalty could be a mere starting point, with future fines quickly escalating.
The choice for investment firms and their boards is clear: Shore up identity theft programs or risk increasingly serious consequences.