Cybersecurity Breach Costs Voya Financial Advisors $1M In Fines

Des Moines-based broker Voya Financial Advisors (VFA) has been fined $1 million in a cybersecurity case that’s the first under the Identity Theft Red Flags Rule. VFA has agreed to pay the fines in relation to a case that saw their systems compromised and the personal information of thousands of the firm’s customers at risk.

The SEC announced this week that it has charged VFA with violating the Safeguards Rule and the Identity Theft Red Flags Rule. These rules were designed to protect customers from cyberattack activity, and protect customers and their confidential information.

In April 2016, over a six-day period, one or more individuals posing as an independent contractor called VFA’s technical support number to request portal password resets for three representatives. Two of those calls came from phone numbers that were used in previous fraudulent activities. Technical support personnel not only reset these passwords but provided the usernames as well.

Once the passwords were reset, the hackers created new bogus replica customer profiles and used them to gain access to three real customer files. When representatives began to contact the company about the reset passwords and unauthorized access, the company took steps to block the hackers, but it didn’t work. They were able to impersonate more individuals as a result. However, the SEC says, no transfers or other unauthorized activity in the accounts that had unauthorized access, and no customer lost any money.

Some of the weaknesses were exposed from a previous security breach that was also used for fraudulent activity.

VFA also failed to apply procedures to its independent contractor workers, who make up the largest part of the company’s workforce. Most of these individuals work in remote office locations, and use their own networks and computer equipment to access the web portal and company’s systems. The unauthorized access occurred from 2013 until 2017.

The SEC’s order states that although there were procedures in place for independent contractors, they “were not reasonably designed to apply to the systems they used.” VFA has since updated and improved its cybersecurity procedures.

“This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Robert A. Cohen, Chief of the SEC Enforcement Division’s Cyber Unit. “They also must review and update the procedures regularly to respond to changes in the risks they face.”

VFA has agreed to a censure, take remedial actions and to pay the fine. The company will hire an independent consultant to review its policies and procedures for compliance with these rules, as well as other related regulations.

Did Voya Financial Advisors Leave Your Information Open To Hackers?  

Silver Law Group represents investors in securities and investment fraud cases. Our class action attorneys can handle Wall Street data breach cases and claims for improper disclosure of customer information.  Our lawyers are admitted to practice in New York and Florida and represent investors nationwide to help recover investment losses due to stockbroker misconduct.  Most cases handled on a contingent fee basis. This means that you won’t any pay legal fees unless we are successful. Call us toll free at 800-975-4345, or use our online contact form to get in touch.