Voya Financial Advisors will pay $1 million to settle claims it violated two rules designed to protect confidential customer information and protect customers from the risk of identity theft, the Securities and Exchange Commission announced Wednesday.
The SEC charged the company with violating the Safeguards Rule and the Identity Theft Red Flags Rule after intruders gained entry into VFA — Voya Financial's retail wealth management arm that operates as a broker-dealer. The intrusion did not involve Voya's other businesses, including its record-keeping business.
Intruders impersonating VFA contractors called VFA's support line and requested that the contractors' passwords be reset over a six-day period in 2016. The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers. The SEC order finds that the intruders then used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers. The order also finds that VFA's failure to terminate the intruders' access stemmed from weaknesses in its cybersecurity procedures.
"This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models," said Robert A. Cohen, chief of the SEC enforcement division's cyber unit, in a news release. "They also must review and update the procedures regularly to respond to changes in the risks they face."
VFA did not admit to or deny any of the SEC's findings. In a statement, a company spokesman said Voya promptly addressed and reported the incident when it occurred two years ago and notified the individuals who were involved. "No personal information was downloaded from our systems, and there was no evidence of financial harm," the statement said. "We have also enhanced our measures so that a similar situation does not reoccur.
"Voya takes fraud and security matters seriously, and we invest significantly each year in our programs to protect the accounts and personal information of customers," the statement went on. "We also know that independent advisers and third parties who work with us are increasingly the targets of fraud. As part of our efforts, Voya continues to work with and support these partners to help protect their identity and client information."