Voya pays $1 million to settle SEC charges over cybersecurity breach

Attackers allegedly impersonated independent advisers to gain access to VFA's online portal

Sep 26, 2018 @ 2:31 pm

By Ryan W. Neal

Voya Financial Advisors will pay $1 million to settle Securities and Exchange Commission charges regarding a data security breach that compromised the personal information of thousands of customers.

An SEC order says that over a period of six days in April 2016, criminals impersonating independent advisers called the firm's support line and requested new passwords. The passwords gave the intruders access to the personal information of 5,600 Voya Financial customers, the SEC alleges.

The imposters used this information to create new online customer profiles. They also obtained access to three customers' account documents.

Within hours of the first fraudulent reset request, the targeted adviser received an email notification and informed Voya. According to the SEC order, VFA took steps to respond to the intrusion but did not prevent the attackers from accessing the VFA portal through other compromised adviser logins.

The SEC claims the intruders gained access through weaknesses in VFA's cybersecurity procedures, some of which had previously been exposed in similar frauds. In two instances when the intruders called VFA's support line, they used phone numbers previously identified as being associated with fraudulent activity.

The order says VFA also failed to apply its procedures to systems used by independent contractors, who make up the largest part of VFA's workforce.

(More: How a hacker led to Finra censuring and fining a broker-dealer)

"This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models," Robert A. Cohen, chief of the SEC enforcement division's cyber unit, said in a statement. "They also must review and update the procedures regularly to respond to changes in the risks they face."

It's the SEC's first action charging violations of its "identity theft red flags rule," which requires firms to develop and implement a written program to prevent identity theft. VFA was also charged with violating the "safeguards rule" on protecting customer records and information.

A company spokesperson released a statement saying that the firm is pleased to have resolved the matter, that no personal information was downloaded from its systems and that there was no evidence of financial harm to consumers.

(More: Cybersecurity remains top RIA compliance concern)

"Voya promptly addressed and reported the incident when it occurred 2 years ago, and we notified the individuals who were involved," the spokesperson wrote. "We have also enhanced our measures so that a similar situation does not reoccur."

The firm also acknowledged that independent advisers and other third parties are increasingly targets for fraud.

"As part of our efforts, Voya continues to work with and support these partners to help protect their identify and client information," according to the statement.

(More: Trading apps expose investors to cybercriminals, report finds)

Sid Yenamandra, CEO of cybersecurity firm Entreda, expects to see more violations of the identity theft rule in the future because many firms haven't been focusing on risks from independent contractors or other third parties. Mr. Yenamandra said it is an operational challenge to enforce security rules for entities that aren't in-house.

He hopes enforcement actions like this one will get broker-dealers and RIAs to take the issue more seriously.

"When there's no police on the highway, folks are going to speed," Mr. Yenamandra said. "The minute you see an enforcement action like this, the issue becomes front and center."


What do you think?

View comments

Upcoming event

Sep 10


Denver Women Adviser Summit

The InvestmentNews Women Adviser Summit, a one-day workshop now held in six cities due to popular demand, is uniquely designed for the sophisticated female adviser who wants to take her personal and professional self to the next level.... Learn more

Most watched


Young advisers envision a radically different business in five years

Fintech and sustainable investing are two factors being watched closely by some of the 2019 class of InvestmentNews' 40 Under 40.


Schwab's Jeff Kleintop: Prep for volatility given China trade uncertainties

China could be considered a developed market in five to seven years , according to Jeff Kleintop, chief global investment strategist, Charles Schwab.

Latest news & opinion

Funding for Reg BI, other SEC advice reform efforts denied in Waters amendment

House likely to approve measure that effectively kills rule package, but it faces uphill battle in Senate

Wall Street lashes out at Sanders' plan to pay off student debt with a securities trading tax

Financial pros argue that a transaction levy will hurt mom-and-pop investors along with investment houses.

GPB paid B-Ds and reps steep commissions to sell troubled private placements

GPB paid commissions of 9.3%, or $167 million altogether, on the firm's private placements.

Give us a break, active managers say

Seven portfolio managers share their outlooks for the rest of the year, generally agreeing that it's been hard for active managers to stand out.

GPB Capital reports decline in value of two biggest funds

One has dropped by 25.4% and the other by 39%, according to the company.


Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting investmentnews.com? It'll help us continue to serve you.

Yes, show me how to whitelist investmentnews.com

Ad blocker detected. Please whitelist us or give premium a try.


Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print