The Securities and Exchange Commission said Wednesday that a Des Moines-based broker-dealer and investment advisor has agreed to pay $1 million to settle charges for cybersecurity failures that led to a cyber intrusion that compromised thousands of customers’ personal information.
The SEC charged Voya Financial Advisors Inc. with violating Regulation S-P or the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft.
VFA failed to adopt written policies and procedures reasonably designed to protect customer records and information, as well as failing to develop and implement a written Identity Theft Prevention Program, the SEC states.
This is the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule, the securities regulator said.
“This case is a reminder to brokers and investment advisors that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Robert Cohen, chief of the SEC Enforcement Division’s Cyber Unit. “They also must review and update the procedures regularly to respond to changes in the risks they face.”
According to the SEC order, VFA gave its independent contractor representatives access to its brokerage customer and advisory client information through a proprietary web portal.
“Through the portal, the contractor representatives accessed the personally identifiable information of VFA customers and managed the customers’ brokerage accounts,” the order states.