On September 26, 2018, the Securities and Exchange Commission charged Voya Financial Advisors Inc., an investment advisor and broker-dealer, for its failure to respond adequately to a cybersecurity intrusion. This case marks the first SEC charges related to the Identity Theft Red Flags Rule (Regulation S-ID), which requires regulated entities that maintain covered accounts to implement identity theft programs.

The action signals that the SEC’s Enforcement Division will pursue regulated entities that fail to implement adequate cybersecurity protocols, even when those entities maintain relatively robust policies and even in the absence of any theft of funds or securities. Regulated entities should pay particular attention to red flags, fully extend their cybersecurity programs to contractors, and direct more resources toward governance and implementation.

SEC Cybersecurity Framework

Broadly speaking, the SEC divides its enforcement approach to cybersecurity into three areas:

• Unlawful Market Advantage. The SEC investigates cyber-related misconduct designed to gain some form of unlawful market advantage.  Examples include hacking or intrusions designed to facilitate insider trading or market manipulation.

• Regulated Entities. As demonstrated by this most recent action, the SEC also will pursue registered entities—investment advisors, broker-dealers, and others—that fail to safeguard information or to develop adequate protocols. The SEC focuses on breaches of various Commission rules, such as Regulations S-P, S-ID, SCI, and others, as well as the design and execution of policies and procedures.

• Public Companies. The third area of SEC focus is public company disclosures related to cyber events. In February 2018, the Commission issued guidance reaffirming the need for public companies to disclose risks and implications of cyber events.   

The Commission has been proceeding cautiously in the second and third categories. That hesitation acknowledges that regulated entities and public companies are themselves victims of intrusions, appreciates the evolving nature of technological threats, and reflects a desire to encourage a collaborative regulatory relationship in this area. 

The case against Voya suggests a subtle shift in this dynamic. The SEC appears more willing to police cybersecurity through enforcement. This action follows the SEC’s formation of a Cyber Unit in September 2017 and the high-profile announcement of a settled action against Altaba in April 2018.  Investment advisors and broker-dealers should anticipate additional examination and enforcement focus on cybersecurity, and a less forgiving approach to intrusions. 

Cybersecurity for Investment Advisors

In April 2015, the Division of Investment Management (IM) issued cybersecurity guidance for investment advisors. The guidance focused on the adequacy of cybersecurity policies and procedures. IM advised registrants to take the following steps:

• Periodic Assessment. Conduct a periodic assessment of (1) the information collected and used and the related technology systems; (2) internal and external threats and vulnerabilities; (3) current controls and processes; (4) the impact of breaches; and (5) the governance structure. An effective assessment identifies threats and vulnerabilities to prioritize and mitigate risk.

• Strategic Design. Create a strategy designed to prevent, detect, and respond to threats.  Such a strategy (1) controls access through user credentials, authentication, and authorization methods, firewalls, and perimeter defenses, tiered access, network segregation, and system hardening; (2) encrypts data; (3) restricts removable storage and monitors for intrusions, the loss or exfiltration of data, or other unusual events; (4) facilitates backup and retrieval; and (5) includes an incident response plan.  Routine testing enhances the effectiveness of any strategy.

• Implementation.  Implement the strategy through written policies and procedures and training related to threats and measures to prevent, detect, and respond to such threats, and monitor compliance. 

Per the guidance, policies and procedures must be tailored.

In 2015 and 2016, the SEC brought two cases against RT Jones Capital Equities Management, Inc. and Morgan Stanley Smith Barney LLC, alleging violations of Regulation S-P, also called the Safeguards Rule. Regulation S-P requires registered investment advisors to adopt written policies and procedures reasonably designed to safeguard customer records and information.

Prior Commission guidance noted that advisors also must comply with Regulation S-ID, the Identity Theft Red Flags Rule. Regulation S-ID requires advisors to implement reasonable policies and procedures to identify, monitor, and respond to identity theft.

From 2014 to 2017, OCIE issued summaries of findings from cybersecurity examinations. Those summaries provide a sense of industry developments and the expectations of examination staff. 

Voya

In the most recent action, the SEC charged Voya, a dual registrant with approximately $11 billion in regulatory assets under management, with violations of the Safeguards Rule and the Identity Theft Red Flags Rule.   

According to the Order, for six days in 2016 cyber intruders impersonating Voya contractors called Voya’s support desk and requested password resets.  The cyber intruders were able to create new contractor passwords and then gain access to the information of 5,600 customers.

The SEC concluded that weaknesses in Voya’s cybersecurity measures allowed the intruders’ access and then failed to terminate that access once detected. The Order highlighted the connection between the intrusion and prior intrusion attempts identified by Voya. The Commission also emphasized Voya’s failure to extend its cybersecurity program fully to its large network of independent contractors.

Without admitting or denying the charges, Voya agreed to cease and desist from violating the Safeguards Rule and the Identity Theft Red Flags Rule and to pay a $1 million penalty.  In addition to other remedial measures, including the appointment of a new Chief Informational Security Officer, Voya agreed to engage an independent consultant to evaluate its cybersecurity program. 

Observations

The SEC continues to take an active enforcement interest in the cybersecurity of regulated entities.  The SEC’s action against Voya reflects the real and substantial risk of noncompliance. Regulated entities with strong cybersecurity and incident response protocols will be better positioned to curb the effects of an intrusion. 

Even regulated entities with a relatively developed program can fall short of regulatory standards.  It is noteworthy that Voya had in place multiple elements of a strong cybersecurity framework. The Order cites a dozen cybersecurity policies and procedures that required:

• Manual lockouts following suspected security incidents,

• Session timeouts for web applications,

• Prohibition of concurrent web sessions,

• Multi-factor authentication,

• Annual and ad hoc review of cybersecurity policies, and

• Cybersecurity awareness training and updates.

The intrusion event in question was identified and escalated, and Voya responded within days. Further, the intrusion did not result in the actual transfer of funds or securities.

Notwithstanding these efforts, the SEC identified several gaps. Overall, the Order reflects the Commission’s focus on higher-level governance and implementation. The SEC also emphasized the prior intrusion events and Voya’s failure to extend its cybersecurity protocol fully to its independent contractor network. That said, the Order also reveals close scrutiny of specific aspects of the cybersecurity protocol. The SEC identified granular flaws, such as the absence of clear flags on targeted user accounts and the need for automated screens of unusual phone numbers or email addresses. 

To reduce the risk of enforcement actions, regulated entities should scrutinize and periodically reassess their existing cybersecurity protocols, tailoring them to address specific risks. Regulated entities should consider the practical and regulatory benefits of adopting the NIST Cybersecurity Framework, favored by government agencies, or ISO/IEC 27001, an internationally recognized framework. The protocol should address prior intrusion attempts and extend to independent contractors. Importantly, regulated entities should consider dedicating more resources to implementation and governance, encouraging more institutional focus on cybersecurity. 

Finally, the Order leaves open the benefit of self-reporting breaches and intrusions.  In recent years, the SEC encouraged self-reporting to limit investor harm and to aid the prosecution of the perpetrators. The Order suggests that Voya did not self-report and that the issue was identified during the examination process, or perhaps through other public reports of the breach. Regulated entities should consider the benefits of self-reporting intrusion events, particularly when they are subject to examination and when federal or state law requires public reporting that can draw regulatory attention.

Paul Helms, a partner with the law firm McDermott Will & Emery LLP, defends clients in government investigations, principally investigations by the U.S. Securities and Exchange Commission, and conducts internal investigations involving securities, accounting, and other financial concerns. Prior to joining McDermott, Helms worked in the SEC’s Enforcement Division in various roles, including as counsel to the director of enforcement and a member of the Asset Management Unit.  Sean Hennessy and Lynette Arce are associates at McDermott, practicing in the firm’s Litigation and Global Privacy and Cybersecurity Groups, respectively.