• * Identify relevant types of identity theft red flags;
• * Detect the occurrence of those red flags;
• * Respond appropriately to the detected red flags; and
• * Periodically update the identity theft program.

Cybercriminals compromised the firm in question, Voya Financial Advisors Inc., in 2016 by impersonating VFA contractors, calling the company's support line, and requesting that the contractors' passwords be reset. They then used these new passwords to access the personal information of 5,600 VFA customers. The SEC said this happened because the firm had deficient cybersecurity procedures and, even with that being the case, still failed to apply those procedures to the systems used by its independent contractors, who make up the largest part of the firm's workforce. 

“Customers entrust both their money and their personal information to their brokers and investment advisers,” said Stephanie Avakian, co-director of the SEC Enforcement Division. “VFA failed in its obligations when its deficiencies made it vulnerable to cyber intruders accessing the confidential information of thousands of its customers.”

Without admitting or denying the SEC’s findings, VFA agreed to be censured and pay a $1 million penalty, and it will retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule, the Identity Theft Red Flags Rule and related regulations.