A recent U.S. Securities and Exchange Commission (SEC) enforcement action punishing a financial firm for its subpar data security practices—the agency’s first-ever use of its “red flags” rule—called out the company’s board of directors for its failure to “administer and oversee” the program.
While corporate boards are charged with the general oversight of business risks including cyber risks, it’s far from the norm for a data security regulation to draw a straight line to the boardroom. The SEC’s “red flags rule” does just that and places direct responsibility on corporate boards. In an enforcement order against Voya Financial Advisors, the Iowa-based investment advisory arm of Voya Financial, the commission used the rule to censure the asset management firm for allowing hackers to roam freely though its customer information. The hackers were able to access social security numbers, account balances, and even details of client investment accounts, according to the commission.
This should set off alarm bells for every financial firm and board of directors under the SEC’s watch. It’s likely that most companies are not in compliance with the rule and, given the agency’s increased focus on cybersecurity, this should be their wake-up call to quickly get such a program in place.
Five years ago, the SEC adopted the rule, formally called the “Identify Theft Red Flags Rule,” which requires investment firms to pay attention to identity theft by developing and implementing a written program to “detect, prevent and mitigate” identity theft and fraud, and to provide “red flags” or other warning signs when hackers might be trying to steal customer information or customer identities. The rule also requires that a firm’s board of directors or senior leadership administer the program. But until recently, the SEC did not enforce the rule.
The SEC’s charge against Voya implies that the company’s conduct was so egregious that it might explain the agency’s decision to finally make use of its “red flags” rule. During a six-day window in 2016, cybercriminals impersonated Voya’s independent investment representatives—the largest segment of the firm’s work force—by calling the Voya help line and asking that their passwords be reset. Even though some of the telephone numbers used by the hackers were already flagged in Voya’s system as being associated with fraud, the callers still made it past security and were able to convince Voya’s help line to reset their passwords and provide new passwords over the phone, according to the SEC.
The intruders used the new passwords to gain access to the personal information of 5,600 customers, the SEC alleged, and then used the customer information to create new online customer profiles and identities and to pour through thousands of account records.
Without so much as triggering a fraud alert, hackers were able to change a legitimate customer’s phone number and address of record, which meant account statements and confirmations would be re-routed from legitimate customers to the hackers. In several instances, the SEC said, hackers used a “@yopmail.com” address, a disposable email service that lets users create an email address, review incoming emails, and then destroy everything.
Voya had an identity theft program in place since 2009 but the program was not updated, nor was it approved by the firm’s board of directors or senior leaders, as is required. Instead, the program languished, was ignored by Voya’s security team and fell far below the requirements of the regulation.
Although Voya did not admit or deny liability in the SEC settlement, the commission deemed the firm’s violation of the red flags rule as “willful.”
“VFA’s [Voya Financial Advisors] board of directors or a designated member of VFA’s management did not administer and oversee the Identity Theft Prevention Program, as required by the Identity Theft Red Flags Rule,” concluded the SEC.
In the settlement, the SEC ordered that Voya clean up a laundry list of data security issues and also mandated that it engage a consultant to monitor its compliance with the red flags rule. This is also a first time the SEC has ordered use of an independent monitor to police compliance with the red flags rule.
Yet it’s likely that few firms and even fewer boards are aware of the rule. Many firms and their leaders are familiar with the SEC’s general data security rule and its guidance to public companies about disclosing cybersecurity risks and data breaches, but the red flags rule—for all its timeliness and importance—has flown under the proverbial radar screen.
Over the past few years, the SEC has made scrutiny of companies’ cybersecurity practices a priority. Earlier this year, the agency updated guidance to public companies, telling them to beef up cybersecurity risk factors and data breach disclosures. And in April, the SEC pursued its first-ever cybersecurity enforcement action over the massive Yahoo! data breach after it was learned that the company sat on news for more than two years that hackers had made off with the personal information of more than 500 million users. Altaba, the company that has since purchased Yahoo, was fined $35 million for the tardy disclosure.
With the SEC toughening its stance on data security issues, corporate leaders and board members should treat the Voya case as an object lesson and ensure that their identity theft programs are up-to-date and align with the particular cybersecurity risks that face their organization. Although Voya was only hit with a symbolic $1 million fine, it’s doubtful that the SEC will be as forgiving in the future.
Craig A. Newman is a partner with Patterson Belknap Webb & Tyler LLP, the New York law firm, and chair of its Privacy and Data Security Practice. All thoughts are his own.