Voya to Revise Cybersecurity Protocols in Settlement with the SEC

Alex Ohanian
Legal Intern, Federal Trade Commission

The Securities and Exchange Commission instituted cease and desist proceedings against Voya Financial Advisors, citing violations of the Safeguards Rule, and the Identity Theft Red Flags Rule. The proceedings constitute the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule.

Voya Financial Advisors is an investment advisor offers a wide range of products and services. Voya sells its products through a national network of independent contractor representatives. The Safeguards Rule requires broker dealers and investment advisors to adopt written policies and procedures implementing practices for the protection of customer information. Voya violated the Safeguards Rule by implementing cybersecurity policies which were not “reasonably designed” to insure the confidentiality of sensitive customer information.

Between 2013 and 2017, Voya’s independent contractor representatives were given access to sensitive information about brokerage customers and advisory clients through a propriety web portal. During this time, Voya established cybersecurity policies, which required: a) an automatic session timeout after a period of inactivity in web applications containing PII, b) a prohibition of concurrent web sessions by a single user in web applications containing PII, and c) multi-factor authentication for access to applications containing PII.

Although Voya’s cybersecurity policies applied to all Voya personnel, the policies were not “reasonably designed” to apply to the systems used by independent contractors. Though prohibited by the company’s policy, Voya frequently allowed its contractor representatives to maintain concurrent web sessions, and failed to enforce automatic timeouts after long periods of inactivity in applications containing sensitive customer information. In addition, Voya’s multi-factor authentication procedures were inadequate, because the safeguards in place could be circumvented by calling Voya’s Customer Support team, and resetting an individual’s security questions.

Next, Voya’s incident response procedures were not “reasonably designed” to “detect and prevent” identity theft as required by the Identity Theft Red Flags Rule. The Identity Theft Red Flags Rule requires certain financial institutions to develop and implement a written identity Theft Prevention Program designed to detect and prevent identity theft. The rule also requires institutions to update their Identity Theft Prevention programs to reflect changes in the nature of risks to customers. Voya violated the Identity Theft Red Flags Rule by failing to implement a written Identity Theft Prevention Program, which could effectively detect and prevent identity theft. In April of 2016, hackers exploited weaknesses in the company’s cybersecurity infrastructure and gained access to sensitive information about nearly 5,600 customers. Afterwards, Voya employees failed to prevent further intrusions from the IP addresses responsible for the attack. Moreover, Voya did nothing to address the compromised user sessions, primarily because they mistakenly believed that resetting a user’s password would automatically terminate all active sessions.

Without admitting or denying the charges of misconduct, Voya Financial Advisors agreed to pay a fine of $1 million dollars, and to bring its practices into compliance with regulatory requirements. Voya also agreed to retain a Chief Information Security Officer, who will be responsible for maintaining revised cybersecurity policies that comply with regulatory requirements.