SEC Enforces Little Known Identity Theft Rule
The SEC settled a case with the help of a little known 2013 regulation, the Identity Theft Red Flags Rule, for the first time two weeks ago. The rule requires financial institutions to implement a program to detect, prevent, and mitigate identity theft.
Five years after it was first adopted, the Securities and Exchange Commission has finally censured an organization for failing to adhere to a rule that requires companies implement a written program to detect the warning signs of identity theft in day-to-day operations.
The SEC hit Voya Financial Advisors, the investment advisor and broker dealer arm of Voya Financial, with a $1M fine two weeks ago. The firm, which didn’t admit or deny the charges but is settling, enabled hackers to impersonate independent advisers and access sensitive customer data in 2016.
The rule, the Identity Theft Red Flags Rule, went into compliance nearly five years ago, on November 20, 2013 after being adopted by both the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC). This is its first enforcement action involving it however.
According to a SEC cease-and-desist order published in late September, attackers were able to impersonate VFA contractor representatives over six days in April 2016 and gain access to web portals used by the firm. Once they secured access - VFA supplied the individuals with password resets and even usernames in some scenarios - the attackers had access to the personally identifiable information of 5,600 customers. While there were no known transfers of funds or securities from the accounts, customers' names, email addresses, dates of birth, addresses, and the last four digits of their Social Security numbers were exposed. The SEC claims the hackers were also able to access to other data, including account balances, account documents, tax documents, and other account information. Once inside, the hackers were also able to change the emails and physical addresses associated with customer profiles without triggering fraud alerts.
For what it’s worth VFA has had an Identity Theft Prevention Program in place; it just hadn't been updated since 2009, according to the SEC. To compound risk further no one from the company's board of directors or its management oversaw the program, something stipulated by the Identity Theft Red Flags Rule.
The settlement closes the book on a first of its kind case. While the $1M fine is relatively small potatoes, it should serve as a warning shot. It’s unlikely the Commission will be as forgiving the next time around.
"This SEC action highlights the importance of conducting regular reviews of cybersecurity and incident response protocols, assessing whether policies are in fact being followed, and ensuring proper training," Sabastian V. Niles, Marshall L. Miller, and Jeohn Salone Favors, a trio of attorneys with the New York-based firm Wachtell, Lipton, Rosen & Katz, wrote Friday in a Harvard Law School blog.
The SEC has hardened its stance on cybersecurity issues over the last several years; if financial firms were unaware of the rule, they should ensure they’re compliant and have an identity theft program designed to safeguard sensitive data in place.
The Commission updated its cybersecurity disclosure guidance earlier this year, asking companies to, “take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion," and to “avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.”
Securities and Exchange Commission building image via glass_window's Flickr photostream, Creative Commons