When one thinks of the top data-security cops on the beat, the SEC doesn’t typically come to mind. Overshadowed by the Federal Trade Commission, and even state attorneys general, the SEC has been relatively quiet over the years. That may be changing. The SEC’s recent $1 million settlement with Voya Financial Advisors (“VFA”), a registered broker-dealer and investment advisor, marks the SEC’s first enforcement action under the Red Flags Rule and highlights the agency’s recent emphasis on data security and the Safeguards Rule. We expect the SEC to continue flexing its muscle in this space, and the VFA enforcement action should serve as a wakeup call for regulated organizations.
In April of 2016, VFA fell victim to a phishing attack, which permitted unauthorized individuals (the “intruders”) to gain access to “VPro,” a web portal that VFA contractors used to access VFA customer data. According to the order issued by the SEC, the intruders called the company’s IT support line over several days, impersonating VFA investment and advisory contractors. Some of the calls came from phone numbers that had been identified in unsuccessful attempts to impersonate VFA contractors earlier in the year. VFA’s systems flagged the calls as potentially fraudulent on this basis, but the intruders were still able to convince VFA’S IT support staff to reset the target contractors’ passwords that provided access to VPro. Unfortunately, during the password reset process, IT support staff provided temporary passwords over the phone to the intruders. And in two instances, the IT support staff also provided the contractor’s username.
The intruders were able to exploit these errors, as well as several incident response missteps, to gain access to personal information for at least 5,600 VFA customers. Full Social Security numbers or other government-issued identification numbers were accessible for at least 2,000 customers. The intruders were also able to create new customer profiles. Fortunately, the intruders did not access a VFA platform that could be used to execute trades, and it appears that there were no unauthorized transfers of funds or securities from VFA customer accounts due to the incident.
VFA took several remedial actions following the incident. For example, VFA notified affected customers and provided them with free credit monitoring, blocked the malicious IP addresses, revised its user authentication policy to prohibit provision of temporary passwords by phone, and implemented multifactor authentication controls. The SEC viewed these efforts favorably, but the agency still came down hard on VFA, alleging violations of the Red Flags Rule and the Safeguards Rule. The SEC issued an order announcing a settlement in late September of this year. In addition to imposing a $1 million penalty, the SEC censured VFA and required the company to retain a compliance consultant and cooperate with the consultant’s recommendations.
The VFA enforcement action provides several important takeaways for organizations regulated by the SEC:
- It’s time to update your Red Flags Rule and Safeguards Rule compliance programs. The SEC took the position that VFA’s failure to review and update its identity theft prevention program amounted to a violation of the Red Flags Rule. At a high level, the Red Flags Rule requires broker-dealers and advisors to implement a written identity theft prevention program. The program must include policies and procedures designed to identify relevant “red flags” indicating the possibility of identity theft related to certain covered accounts and respond appropriately to those red flags. The program must be “updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.” The Safeguards Rule is a general data security requirement that mandates the implementation of written policies and procedures that address administrative, technical, and physical safeguards designed to protect customer data. The safeguards must be designed to ensure security and confidentiality of customer data, protect against anticipated threats to the security and confidentiality of customer data, and protect against unauthorized access to or use of that data. The security program required under the Safeguards Rule should be updated on a periodic basis to ensure that policies and procedures are reasonably designed to protect customer information in light of evolving threats and changes to an organization’s operations.
- Don’t forget about contractors and other vendors. According to the SEC, even though VFA’s policies and procedures mandated a variety of security measures, VFA did not effectively apply those measures to its contractors, including manual account lock-out, multi-factor authentication, and session-timeout requirements. Over the years we have seen many data breaches related to, or caused by vendors, and this case is yet another example of why vendor-management is crucial to effective data security. In addition to ensuring that appropriate security controls are applied to vendors, organizations must ensure that their vendor contracts protect them in the event of vendor-caused data breaches.
- Poorly-designed or poorly-implemented password-reset procedures can amount to a legal violation. The order provides insight into password-reset controls that the SEC finds deficient. The SEC took issue with VFA’s practice of providing temporary passwords over the phone, rather than transmitting them via email. The SEC was also particularly critical of the decision to also provide usernames over the phone, along with the passwords. In light of the VFA enforcement action, covered organizations should review their password-reset procedures to ensure they align with industry best practices and, at a minimum, do not run afoul of the SEC’s expectations.
- Incident response procedures are fair game, too. The SEC order indicates that, not only will the SEC focus on the security failures that led to a breach, but the agency will also scrutinize how a regulated organization responds to the breach. If an organization is aware that a particular phone number was used in connection with a prior attempt to gain unauthorized access to data or systems, the SEC expects the organization to account for that knowledge and respond appropriately. The SEC order also indicates that the agency expects incident-response personnel to be adequately trained to respond to data security incidents and indicia of identity theft.
The VFA enforcement signals that data security will be an enforcement priority for the SEC going forward and puts SEC-regulated organizations on notice of several of the agency’s expectations for compliance with the Red Flags and Safeguards rules. Broker-dealers, advisors, and other organizations subject to SEC jurisdiction should work with their legal counsel to ensure that they are addressing the applicable requirements and are aligned with the SEC’s interpretation of those requirements. With the prospect of million-dollar fines, Red Flags Rule and Safeguards Flags Rule compliance should be a top priority going forward.