Existence of Cybersecurity Policies Not Enough for SEC

The U.S. Securities and Exchange Commission's recent settlement with a broker-dealer and investment adviser that allegedly violated a rule meant to combat identity theft even though it had cybersecurity policies in place signals that the mere existence of these policies is not enough to avoid scrutiny, experts say.

Voya Financial Advisors Inc. developed an identity theft prevention program in 2009, but nonetheless agreed Wednesday to pay $1 million to resolve the regulator's first action alleging violations of the Identity Theft Red Flags Rule. The SEC said the company violated the rule and the Safeguards Rule, which requires broker-dealers to have policies safeguarding customer records, because Voya's policies either weren't properly implemented or didn't extend to independent contractors.

"These rules are designed to require the company to set up safeguards and red flag policies," said O'Melveny & Myers LLP attorney Scott Pink. "But I think the point here is it's not just setting them up. It's making sure that they actually apply and are adequate for the specific business purposes and services you're providing."

The SEC had alleged Voya's cybersecurity shortcomings allowed people to impersonate its independent contractors and obtain new passwords through the company's technical service line. With these new passwords, the imposters allegedly accessed personal information about thousands of customers. The SEC claimed Voya violated the Identity Theft Red Flags Rule because it lacked "reasonable policies and procedures," even though the SEC said the hackers hadn't actually harmed the customers.

The SEC didn't explicitly define what it considers "reasonable," but the agency likely expects that companies will at least implement their existing policies, said Kirkland & Ellis LLP partner Sunil Shenoi.

Beyond this general expectation, however, Shenoi anticipates the SEC will determine reasonableness on a case-by-case basis.

"I think it would be challenging for the SEC to articulate one rule that would fit for every company out there," he said. "Every company has to tailor their own policies to their particular situation, so the SEC would have a challenge doing that."

The settlement also indicates the regulator isn't focused exclusively on the companies, but on their contractors and other associates as well. Organizations that outsource work need to ensure that there are cybersecurity policies in place for vendors and other organizations with which they share sensitive data, said Alan Brill, senior managing director in risk consultancy firm Kroll's cyber risk practice.

"What the regulators are looking for is not just cybersecurity as it is implemented within the four walls of the organization, but as it is implemented based upon the architecture of your system," he said.

Both Brill and Shenoi expect the SEC to bring more cybersecurity actions going forward, especially because the allegations against Voya didn't hinge on investor harm.

The SEC's order against Voya noted that the hack didn't seem to have involved any unauthorized transfers from customers' accounts, but the SEC fined the company $1 million regardless.

As cybersecurity increasingly becomes a threat to companies, the SEC will have more and more incidents to investigate — especially if harm isn't a factor.

"I think there are a lot of companies that have incidents and handle them and address them, and maybe there's no harm and they think: Hey, we're good. No harm, no foul," Shenoi said.

He expects the SEC will continue levying relatively small fines for these types of infractions because companies are more likely to argue they did in fact have "reasonable policies" in place if the fines are larger.

The Voya settlement comes months after the SEC issued new cybersecurity guidance that outlined factors and obligations issuers should consider when telling investors about material risks they face from hackers and cybercriminals and what an actual incident could mean for the company's health and ongoing operations. It also encouraged them to take certain specific steps, such as ensuring they have policies to prevent insider trading by executives and directors prior to a cyber incident becoming public.

Brill said the guidance should have served as a "wakeup call" that the SEC was taking cybersecurity seriously.

"This is now a very, very loud alarm bell ringing," he said of Wednesday's settlement.