SEC Spotlights Inadequate Response To Cyber Intrusion

• Strategic Design. Create a strategy designed to prevent, detect, and respond to threats.  Such a strategy (1) controls access through user credentials, authentication, and authorization methods, firewalls, and perimeter defenses, tiered access, network segregation, and system hardening; (2) encrypts data; (3) restricts removable storage and monitors for intrusions, the loss or exfiltration of data, or other unusual events; (4) facilitates backup and retrieval; and (5) includes an incident response plan.  Routine testing enhances the effectiveness of any strategy.

• Implementation.  Implement the strategy through written policies and procedures and training related to threats and measures to prevent, detect, and respond to such threats, and monitor compliance. 

Per the guidance, policies and procedures must be tailored.

In 2015 and 2016, the SEC brought two cases against RT Jones Capital Equities Management, Inc. and Morgan Stanley Smith Barney LLC, alleging violations of Regulation S-P, also called the Safeguards Rule. Regulation S-P requires registered investment advisors to adopt written policies and procedures reasonably designed to safeguard customer records and information.

Prior Commission guidance noted that advisors also must comply with Regulation S-ID, the Identity Theft Red Flags Rule. Regulation S-ID requires advisors to implement reasonable policies and procedures to identify, monitor, and respond to identity theft.

From 2014 to 2017, OCIE issued summaries of findings from cybersecurity examinations. Those summaries provide a sense of industry developments and the expectations of examination staff. 

Voya

In the most recent action, the SEC charged Voya, a dual registrant with approximately $11 billion in regulatory assets under management, with violations of the Safeguards Rule and the Identity Theft Red Flags Rule.   

According to the Order, for six days in 2016 cyber intruders impersonating Voya contractors called Voya’s support desk and requested password resets.  The cyber intruders were able to create new contractor passwords and then gain access to the information of 5,600 customers.

The SEC concluded that weaknesses in Voya’s cybersecurity measures allowed the intruders’ access and then failed to terminate that access once detected. The Order highlighted the connection between the intrusion and prior intrusion attempts identified by Voya. The Commission also emphasized Voya’s failure to extend its cybersecurity program fully to its large network of independent contractors.

Without admitting or denying the charges, Voya agreed to cease and desist from violating the Safeguards Rule and the Identity Theft Red Flags Rule and to pay a $1 million penalty.  In addition to other remedial measures, including the appointment of a new Chief Informational Security Officer, Voya agreed to engage an independent consultant to evaluate its cybersecurity program.