The Securities and Exchange Commission has charged Voya Financial Advisors for cybersecurity failures, which also exposes a weakness in its independent advisor force. Voya settled the charges, which include violations of the Safeguards Rule and the Identity Theft Red Flags Rule, for $1 million.
In 2016, cyber intruders impersonated independent advisors in Voya’s network and called into the back office to get those advisors’ passwords reset, the SEC alleges. The intruders then used the new passwords to access personal information on 5,600 clients. They were then able to access account documents for three customers.
The SEC claims that Voya did not have the proper cybersecurity procedures in place to terminate the hackers’ access, and that the firm should have applied its procedures to its independent advisors.
“This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Robert A. Cohen, chief of the SEC enforcement division’s cyber unit. “They also must review and update the procedures regularly to respond to changes in the risks they face.”