Observations
The SEC continues to take an active enforcement interest in the cybersecurity of regulated entities. The SEC’s action against Voya reflects the real and substantial risk of noncompliance. Regulated entities with strong cybersecurity and incident response protocols will be better positioned to curb the effects of an intrusion.
Even regulated entities with a relatively developed program can fall short of regulatory standards. It is noteworthy that Voya had in place multiple elements of a strong cybersecurity framework. The Order cites a dozen cybersecurity policies and procedures that required:
• Manual lockouts following suspected security incidents,
• Session timeouts for web applications,
• Prohibition of concurrent web sessions,
• Multi-factor authentication,
• Annual and ad hoc review of cybersecurity policies, and
• Cybersecurity awareness training and updates.
The intrusion event in question was identified and escalated, and Voya responded within days. Further, the intrusion did not result in the actual transfer of funds or securities.
Notwithstanding these efforts, the SEC identified several gaps. Overall, the Order reflects the Commission’s focus on higher-level governance and implementation. The SEC also emphasized the prior intrusion events and Voya’s failure to extend its cybersecurity protocol fully to its independent contractor network. That said, the Order also reveals close scrutiny of specific aspects of the cybersecurity protocol. The SEC identified granular flaws, such as the absence of clear flags on targeted user accounts and the need for automated screens of unusual phone numbers or email addresses.