SEC Case Brings Rarely Used Cyber Rules into Limelight

On Sept. 26, 2018, Voya Financial Advisors Inc. settled charges with the U.S. Securities and Exchange Commission regarding alleged violations of SEC rules relating to the protection of customer information and the prevention of identity theft. The Voya settlement represents the first SEC enforcement action involving the Identity Theft Red Flags Rule, Rule 201 of Regulation S-ID (17 C.F.R. § 248.201),[1] which requires certain financial institutions and creditors, including broker-dealers and investment advisers, to develop and implement a written identity theft prevention program designed to detect, prevent and mitigate identity theft in connection with the opening of a covered account. It also represents only the third SEC action involving the Safeguards Rule, Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)), which requires broker-dealers and registered investment advisers to adopt written policies and procedures designed to protect against unauthorized access to customer information. The Voya settlement provides a critical data point in evaluating how the SEC plans to enforce these two rules going forward. Specifically, the Voya action provides guidance on the types of policies that are not likely to be reasonable under these rules, the role that consumer or investor harm and materiality play in the enforcement of these rules, and how the SEC will monitor companies’ compliance with these rules going forward.

Summary of the Action

According to the SEC, from 2013 to 2017, Voya gave certain independent contractors access to a web portal that allowed the contractors to access personally identifiable information about Voya’s customers and manage those customers’ accounts. During six days in April 2016, certain unauthorized actors impersonated Voya’s contractors and called Voya’s technical support line to request a reset of those contractors’ passwords for the web portal. Voya’s technical support staff reset the passwords, provided temporary passwords over the phone, and in two instances, provided a contractor’s username. The SEC alleged that the impersonators ultimately used the contractors’ usernames and passwords to gain unauthorized access to PII for at least 5,600 customers of Voya. For at least 2,000 customers, the intruders viewed their full Social Security number and/or another government-issued identification number. The impersonators also obtained at least one Voya customer’s account documents that contained PII.

The SEC recognized Voya’s remedial acts in response to the intrusion, including blocking malicious IP addresses, revising its user authentication policy, issuing breach notices to affected customers and offering one year of free credit monitoring, and modifying its multifactor authentication process. Nevertheless, according to the SEC, Voya violated the Safeguards Rule because several aspects of Voya’s policies and procedures were not reasonably designed. The SEC also alleged that several aspects of Voya’s identity theft prevention program were not reasonably designed, thereby violating the Identity Theft Red Flags Rule. The settlement included a $1 million fine.

Key Takeaways

Ad Hoc Approach to Reasonableness

Despite its promulgation in April 2013 in connection with the Dodd-Frank Wall Street Reform and Consumer Protection Act, the Identity Theft Red Flags Rule had not been enforced prior to the Voya settlement. The Voya settlement does not provide clear guidance as to what qualifies as “reasonable policies and procedures” under the Identity Theft Red Flag Rule. The SEC did, however, identify particular aspects of Voya’s policies and procedures that the SEC deemed to be not reasonable. For example, the SEC alleged that even though Voya’s incident response procedures required potentially compromised user accounts to be shut down to prevent additional compromise, the agency alleged that these procedures were not reasonable because Voya did not adequately train its staff to shut down potentially compromised accounts. Further, Voya’s incident response procedures were allegedly not reasonable because they failed to ensure that Voya’s technical support team and call center staff were notified about the intrusion. The SEC also alleged that Voya failed to substantively update its identity theft prevention program after implementing it in 2009, despite the rapidly changing nature of cybersecurity threats.

The SEC has also rarely brought enforcement actions involving the Safeguards Rule. Since the Safeguards Rule was promulgated in 2000 (and amended in 2004), companies have only been able to refer to two enforcement actions to determine what types of policies are considered reasonable for protecting consumer information. In the Voya settlement, the SEC indicated that cybersecurity policies are not reasonable when they allow a user who could not remember his password to obtain a temporary password by phone, rather than by secure email. In addition, policies are likely to be deemed not reasonable when they are not followed in practice, such as when Voya did not scan many personal computers of independent contractors for security deficiencies, even though such scanning was specified by Voya’s policies. Broker-dealers and investment advisers, therefore, will need to carefully and periodically review their policies and procedures to confirm that they are consistent with this and future SEC enforcement actions regarding identity theft prevention.

No Harm, But Still a Foul

 Another key reason the Voya action is significant is that the SEC acknowledged that “[t]here have been no known unauthorized transfers of funds or securities from Voya customer accounts as a result of the attack.”[2] The lack of apparent harm to customers or investors is consistent with its past enforcement actions involving the Safeguards Rule. In 2014, the SEC entered into a settlement with R.T. Jones regarding its failure to adopt reasonable policies and procedures, even though at the time of the settlement, the SEC acknowledged that “the firm has not learned of any information indicating that a client has suffered any financial harm as a result of the cyber attack.”[3] In 2016, the SEC entered into a settlement with Morgan Stanley regarding violations of the Safeguards Rule that did not identify any financial harm, although the SEC noted that the stolen customer information was posted on the internet.[4] Further, both Morgan Stanley and Voya were fined $1 million. Significantly, none of the three Safeguards Rule settlements involved any discussion of materiality. Thus, the Voya settlement establishes a trend that the SEC will likely seek penalties for violations of the Safeguards Rule and the Identity Theft Red Flags Rule, regardless of whether the violation is material and regardless of whether consumers or investors suffer harm as a result of the alleged violation.

Compliance Consultant

The Voya settlement is also notable because it represents the first time that the SEC has mandated that a company engage an independent compliance consultant in connection with violations of the Safeguards Rule or the Identity Theft Red Flags Rule. Specifically, the settlement requires the consultant “to conduct a comprehensive review of Respondent’s policies and procedures for compliance with Regulation S-P and Regulation S-ID.”[5] Voya’s consultant is only required to submit one report on Voya’s compliance policies and procedures, and this report is due within three months of the settlement. Although new in the context of the Safeguards Rule and the Identity Theft Red Flags Rule, the obligations relating to Voya’s independent compliance consultant are less burdensome than similar requirements in SEC settlements involving other statutes or rules, which can involve multiple compliance reviews over up to seven years.[6] As a result, companies should expect that future SEC enforcement actions involving the Safeguards Rule or the Identity Theft Red Flags Rule will likely include increased obligations with respect to independent compliance monitoring and reporting.

Conclusion

The Voya settlement represents a substantial step forward in the SEC’s regulation of cyber-related activities. The settlement demonstrates that (1) the reasonableness of identity theft prevention programs will be evaluated on a case-by-case basis rather than by reference to an established baseline, (2) the SEC will enforce violations of the Safeguards Rule and Identity Theft Red Flags Rule regardless of the materiality of the violation or the lack of harm resulting from the violation, and (3) the SEC will likely continue to impose independent compliance consultants and monitors in settlements related to cyber-related incidents. Given the increased occurrence of data security incidents and potential identity theft, the Safeguards Rule and the Identity Theft Red Flags Rule represent tools that the SEC is likely to utilize with greater frequency. Accordingly, companies should undertake periodic reviews of their policies and procedures to implement best practices and ensure consistency with recent SEC enforcement actions.

Erica Williams is a partner at Kirkland & Ellis LLP. She was special assistant and associate counsel to President Barack Obama and spent 11 years at the U.S. Securities and Exchange Commission, serving as deputy chief of staff for three chairmen.

Sunil Shenoi is a partner at Kirkland & Ellis.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] The Identity Theft Red Flag Rule was jointly issued in 2013 by the SEC and the U.S. Commodity Futures Trading Commission. Exchange Act Release Nos. 34-69359, IA-3582, IC-30456 (Apr. 10, 2013), available at https://www.sec.gov/rules/final/2013/34-69359.pdf. The Identity Theft Red Flag Rule was added to 17 C.F.R. § 248.201 and 17 C.F.R. § 162.32 of the SEC’s and CFTC’s respective regulations. Id.

[2] In the Matter of Voya Financial Advisors Inc., Exchange Act Release No. 84288, Investment Advisers Act Release No. 5048, at 3 (Sept. 26, 2018), available at https://www.sec.gov/litigation/admin/2018/34-84288.pdf.

[3] In the Matter of R.T. Jones Capital Equities Mgmt. Inc., Investment Advisers Act Release No. 4204 (Sept. 22, 2015), available at https://www.sec.gov/litigation/admin/2015/ia-4204.pdf.

[4] In the Matter of Morgan Stanley Smith Barney LLC, Exchange Act Release No. 78021, Investment Advisers Act Release No. 4415 (June 8, 2016), available at https://www.sec.gov/litigation/admin/2016/34-78021.pdf.

[5] In the Matter of Voya Financial Advisors Inc., Exchange Act Release No. 84288, Investment Advisers Act Release No. 5048, at 10 (Sept. 26, 2018), available at https://www.sec.gov/litigation/admin/2018/34-84288.pdf.

[6] David M. Stuart, SEC Compliance and Enforcement Answer Book 9-21 (2017 ed.), available at http://stoneturn.com/wp-content/uploads/2017/07/2017-SEC-Compliance-and-Enforcement-Answer-Book_SEC-Imposed-Monitors.pdf.