Please enable JavaScript to view this website.

Leave No Flag Undetected: The Impact of the Cyber-Security Failure of Voya Financial Advisors, Inc. upon the Cyber-Security Endeavors of the Securities and Exchange Commission

Section I. Introduction

The importance of the preservation of sensitive personal information cannot be overstated. What used to be stored securely in safes, physical archives, and one’s own memory has increasingly become the subject of compulsory data collection from an expanding list of companies and institutions. As more of these businesses turn to electronic technology as the preferred safehouse for sensitive personal information, consumers expect or, at the very least, assume that their information will be protected from acts of intrusion committed by sophisticated hackers and cyber-thieves. Unfortunately, this expectation of trust—which offers the benefit of the doubt to the companies acquiring the personal information of their consumers—may lead to disappointment or, perhaps, shock as a result of the seemingly unending stream of corporate disclosures on data breaches of varying degrees of scale and severity. ((See, e.g., Mike Isaac & Sheera Frenkel, Facebook Security Breach Exposes Accounts of 50 Million Users, The New York Times (Sept. 28, 2018), https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html; Zack Whittaker, Altaba to Settle Lawsuits Relating to Yahoo Data Breach for $47 Million, TechCrunch (Sept. 17, 2018), https://techcrunch.com/2018/09/17/altaba-to-settle-lawsuits-relating-to-yahoo-data-breach-for-47-million/.))

One salient series of data breach incidents occurred under the watch of Voya Financial Advisors, Inc., a subsidiary of Voya Financial, Inc. ((Press Release, Sec. & Exch. Comm’n, SEC Charges Firm with Deficient Cybersecurity Procedures (Sept. 26, 2018).)) Because, among other reasons, Voya Financial Advisors, Inc. (“V.F.A.”) was registered as a broker-dealer with the Securities and Exchange Commission (“S.E.C.”), the incidents resulted in proceedings initiated by the S.E.C against V.F.A. ((Voya Fin. Advisors, Inc., Exchange Act Release No. 84288, Investment Advisers Act Release No. 5048, 2018 WL 4627393, Section I (Sept. 26, 2018).)) The S.E.C. charged the subsidiary with two violations—one violation of Rule 30(a) under Regulation S-P and one violation of Rule 201 under Regulation S-ID. ((Id. at Section III.)) Although the case resulted in the imposition of a cease-and-desist order and censure upon the company, ((Id. at Section IV.)) the potentially lasting impact of the proceedings arose from the two aforementioned rules that the S.E.C. utilized successfully to hold V.F.A. accountable for the data breaches.

This blog post considers the continued efforts of the S.E.C. to address issues of cyber-security as illustrated by the proceedings against V.F.A. Sections II and III explore the purpose and scope of Rule 30(a) and Rule 201, respectively. Section IV examines the application of Rule 30(a) and Rule 201 with respect to the facts surrounding the V.F.A. data breaches. And Section V concludes the blog post with a brief discussion regarding the implications of the V.F.A. case for those companies and institutions under the purview of the securities laws and regulations as set forth by the S.E.C.

Section II. Rule 30(a)—Origins, Purpose, and Scope.

The first violation through which the S.E.C. held V.F.A. responsible for the data breaches pertained to Rule 30(a) under Regulation S-P. ((Id. at Section III.)) Also known as the “Safeguards Rule,” ((Id.)) Rule 30(a) comprised just one of many rules promulgated by the S.E.C. to advance a legislative mandate for the protection of consumers’ sensitive personal information. ((Privacy of Consumer Financial Information (Regulation S-P), Exchange Act Release No. 34-42974, 72 S.E.C. Docket 1694 (June 22, 2000).)) That legislative mandate originated from the Gramm-Leach-Bliley Act of 1999 (“G.L.B Act”). ((Id.; Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809, 6821-6827 (2012).)) One significant goal of the G.L.B. Act concerns the responsibility of financial institutions to preserve the confidentiality and security of the “nonpublic” personal information of their respective consumers. ((15 U.S.C. § 6801(a) (2012).)) Generally, financial institutions affected by the G.L.B. Act encompass those institutions that conduct financial activities, with several exceptions including financial activities under the purview of the Commodity Exchange Act and the Farm Credit Act of 1971. ((15 U.S.C. § 6809(3) (2012).)) Financial activities that contribute to the definition of financial institutions under the G.L.B. Act include “[l]ending, exchanging, transferring, investing for others, or safeguarding money or securities” ((12 U.S.C. § 1843(k)(4)(A) (2012).)) and “[p]roviding financial, investment, or economic advisory services, including advising an investment company . . . .” ((12 U.S.C. § 1843(k)(4)(C) (2012).)) In order to enforce its objective, the G.L.B. Act commands a set of agencies to design and implement rules to which financial institutions must adhere. ((15 U.S.C. § 6801(b) (2012).)) One of those entities of authority happens to be the Securities and Exchange Commission. ((15 U.S.C. § 6805(a) (2012).))

Like the other agencies listed under the G.L.B. Act, the S.E.C. has been selected to create rules that elevated the standard of protection among businesses regarding consumers’ personal information. The standard of protection promoted by the G.L.B. Act focuses on the confidentiality and security of customer data with weight given to the defense against cyber-threats that result in “unauthorized access to or use of” the data. ((15 U.S.C. § 6801(b) (2012).)) Pursuant to, among other sources of authority, 15 U.S.C. § 6804 (§ 504 of the G.L.B. Act) and 15 U.S.C. §§ 78q and 78w (§ 17 and § 23 of the Securities and Exchange Act of 1934), the S.E.C. has followed through with its responsibilities under the enacted legislation through the creation of Regulation S-P. ((Privacy of Consumer Financial Information (Regulation S-P), Exchange Act Release No. 34-42974, 72 S.E.C. Docket 1694 (June 22, 2000).)) Under Regulation S-P, financial institutions must “provide notice to customers about [their] privacy policies and practices” and, depending upon the circumstances, may share customer data deemed nonpublic to “nonaffiliated third parties.” ((17 C.F.R. § 248.1(a) (2017).)) Moreover, Regulation S-P concerns only “nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes . . . .” ((17 C.F.R. § 248.1(b) (2017).)) Those “brokers, dealers, and investment companies . . . [and] investment advisers” registered with the S.E.C. constitute the parties affected by Regulation S-P. ((Id.))

The clear purpose and scope of Regulation S-P alleviate at least some of the burdens associated with the interpretation of Rule 30(a) (“Safeguards Rule”). Firstly, the scope of the Safeguards Rule meets the scope of Regulation S-P in that the rule applies to “[e]very broker, dealer, and investment company, and every investment adviser registered with the Commission . . . .” ((17 C.F.R. § 248.30(a) (2017).)) Secondly, the Safeguards Rule, as suggested by its moniker, serves to compel brokers, dealers, investment companies, and registered investment advisers to implement systems to safeguard effectively the private personal information of their respective customers. ((Id.)) To do so, these entities “must adopt written policies and procedures” that are “reasonably designed” to meet the very standard of protection as outlined by the G.L.B. Act—to maintain the confidentiality and security of customer data with weight given to the defense against cyber-threats that result in “unauthorized access to or use of” the data. ((17 C.F.R. § 248.30(a)(1)-(3) (2017).)) For the most part, the Safeguards Rule expresses clearly its intended purpose to further the objective of Regulation S-P, which in turn advances the goal of the G.L.B. Act. The only aspect of the rule that may lead to different interpretations pertains to the “reasonably designed” requirement ((17 C.F.R. § 248.30(a) (2017).)) for the safeguard systems. The V.F.A. case, however, does not even entertain the possibility of competing perspectives regarding whether the subsidiary met that requirement due to the facts surrounding the data breach incidents (as discussed in Section IV).

Section III. Rule 201—Origins, Purpose, and Scope.

The second violation through which the S.E.C. held V.F.A. accountable for the data breaches concerning nonpublic V.F.A. customer information concerned Rule 201 under Regulation S-ID. ((Voya Fin. Advisors, Inc., Exchange Act Release No. 84288, Investment Advisers Act Release No. 5048, 2018 WL 4627393, Section III (Sept. 26, 2018).)) Rule 201, known as the “Identity Theft Red Flags Rule,” ((Id.)) shares a generally similar path of origins as the Safeguards Rule; nevertheless, an examination which traces the roots of this rule may offer greater insight into the the rule’s purpose and scope. Just as the Safeguards Rule was promulgated by the S.E.C. under a legislative mandate, ((Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801-6809, 6821-6827 (2012).)) the S.E.C. created the Identity Theft Red Flags Rule via a different, more recent, legislative mandate. This mandate arose through the Fair Credit Reporting Act of 1970 (“F.C.R.A.”) by means of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank Act”). ((Fair Credit Reporting Act of 1970, 15 U.S.C. § 1681m(e)(1)(A)-(B) (2012); Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub. L. No. 111-203, 124 Stat. 1376 (2010).)) In 2003, the F.C.R.A. was amended such that agencies at the federal level were required to “issue joint rules and guidelines regarding the detection, prevention, and mitigation of identity theft for entities subject to their respective enforcement authorities.” ((Identity Theft Red Flags Rules, Exchange Act Release No. 34-69359, 106 S.E.C. Docket 165 (Apr. 10, 2013).)) These rules (and guidelines) constituted the identity theft red flags rules. ((Id.)) Among the federal agencies granted the authority to jointly establish these rules included the Federal Deposit Insurance Corporation and the Federal Trade Commission. Other federal entities, such as the S.E.C. and the Commodity Futures Trading Commission (“C.F.T.C.”), were not yet included in the list. ((Id.)) The operative word being yet. The jointly-issued rules and guidelines nevertheless impacted at least some parties that answered to those federal entities that lacked the prerequisite authority under the F.C.R.A. since 2003; accordingly, the rules and guidelines established in 2007 under the F.C.R.A. mandate impacted, for example, brokers, dealers, investment companies, and registered investment advisers. ((Id.))

Three years later, in 2010, Congress passed the Dodd-Frank Act, which, among other changes, amended the F.C.R.A. with respect to the grant of the authority to establish identity theft red flags rules. ((Id.)) The modifications to the F.C.R.A. by the Dodd-Frank Act expanded the number of federal-level entities granted the mandate to jointly implement identity theft red flags rules by at least two with the inclusion of the S.E.C. and the C.F.T.C. ((Id.; 15 U.S.C. § 1681m(e)(1) (2012).)) Consequently, the S.E.C. and the C.F.T.C. issued jointly, in 2013, the rules and guidelines constituting identity theft red flags rules for their respective jurisdictions. ((Identity Theft Red Flags Rules, Exchange Act Release No. 34-69359, 106 S.E.C. Docket 165 (Apr. 10, 2013).)) For its part, the S.E.C. created Regulation S-ID, entitled “Identity Theft Red Flags,” to satisfy the red flags rules requirement of the F.C.R.A. as amended by the Dodd-Frank Act in 2010. ((Id.; 17 C.F.R. §§ 248.201, 248.202 (2017).)) Because it contributes to the field of sensitive consumer data protection, Regulation S-ID has been placed unsurprisingly near Regulation S-P, under which the Safeguard Rule resides, within the same title, chapter, and part in the Code of Federal Regulations. ((See 17 C.F.R. Ch. II, Part 248, Subpart A (“Regulation S-P”), Subpart C (“Regulation S-ID”) (2017).)) Regulation S-ID contains two sections, only one of which the S.E.C. has labelled the Identity Theft Red Flags Rule. ((Voya Fin. Advisors, Inc., Exchange Act Release No. 84288, Investment Advisers Act Release No. 5048, 2018 WL 4627393, Section III (Sept. 26, 2018).))

Rule 201, the S.E.C. Identity Theft Red Flags Rule, ((17 C.F.R. § 248.201 (2017).)) contains several figurative layers which collectively establish clear and predictable standards. Firstly, creditors and financial institutions are affected by the Identity Theft Red Flags Rule. ((17 C.F.R. § 248.201(a) (2017).)) Though that may appear vague, the S.E.C. further defines the relevant parties to the Identity Theft Red Flags Rule—registered brokers and dealers pursuant to the Securities Exchange Act of 1934, registered investment companies pursuant to the Investment Company Act of 1940, and registered investment advisers pursuant to the Investment Advisers Act of 1940. ((17 C.F.R. § 248.201(a)(1)-(3) (2017).)) Note already the similarities to the Safeguards Rule. ((17 C.F.R. § 248.30(a) (2017).)) The rule imposes additional requirements for creditors and financial institutions that “offer[] or maintain[] one or more covered accounts.” ((17 C.F.R. § 248.201(d)(1) (2017).)) Covered accounts refer to any account “offer[ed] or maintain[ed], primarily for personal, family or household purposes . . . designed to permit multiple payments or transactions,” ((17 C.F.R. § 248.201(b)(3)(i) (2017).)) including those accounts that carry a “reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft . . . .” ((17 C.F.R. § 248.201(b)(3)(ii) (2017).))

The additional requirement imposed upon financial institutions and creditors that “offer[] or maintain[]” at least one covered account ((17 C.F.R. § 248.201(d)(1) (2017).)) lies at the heart of the Identity Theft Red Flags Rule. Such financial institutions and creditors require a “written Identity Theft Prevention Program . . . designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.” ((Id.)) Accordingly, these financial institutions and creditors must implement “reasonable policies and procedures” such that their respective Identity Theft Prevention Programs can “[i]dentify relevant Red Flags,” “[d]etect Red Flags,” “[r]espond appropriately to any [detected] Red Flags,” and undergo updates. ((17 C.F.R. § 248.201(d)(2)(i)-(iv) (2017).)) The Identity Theft Prevention Program must be approved by members, or a committee, of the company’s board of directors ((17 C.F.R. § 248.201(e)(1) (2017).)) and maintained with company personnel trained with the knowledge of such a program. ((17 C.F.R. § 248.201(e)(3) (2017).)) The reasonableness aspect of the design and framework of the Identity Theft Prevention Program, as written in the text of the rule, remains unclearly defined. How many red flags must the program include? Should the program’s percentage of detection exceed a certain percentage and, if so, what percentage? To what extent does an update to the program reach an acceptable, or unacceptable, threshold? Perhaps to the benefit of the Securities and Exchange Commission, these questions may be left open to interpretation.

Section IV. Rule 30(a), Rule 201, and Voya Financial Advisors, Inc.

Regardless of the lingering questions with respect to the reasonableness standards placed within the Safeguards Rule and the Identity Theft Red Flags Rule, the S.E.C. expressed little to no doubt as to its conclusions regarding the conduct of V.F.A. in light of the facts surrounding the company’s data breach incidents. Over the course of at least three days in April 2016, an unknown number of imposters managed to acquire nonpublic consumer data by posing as V.F.A. contractor representatives, ((Voya Fin. Advisors, Inc., Exchange Act Release No. 84288, Investment Advisers Act Release No. 5048, 2018 WL 4627393, Section III, ¶ 26 (Sept. 26, 2018).)) who comprised a bulk of the V.F.A. workforce and generally possessed access to such sensitive information through a web portal. ((Id., ¶ 11.)) Because the web portal was managed not by V.F.A. but rather by its parent company, Voya Financial Inc. (“Voya”), ((Id., ¶ 2.)) and because support calls related to the web portal were answered not by V.F.A. but by Voya, ((Id.)) the imposters, by using information pertaining to actual V.F.A. contractor representatives, ((Id., ¶ 27.)) managed to deceitfully convince Voya personnel to reset the passwords of these actual V.F.A. contractor representatives. ((Id.)) Despite the fact that at least some of the phone numbers used by the imposters to contact Voya staff in April 2016 were phone numbers used during similar attempts against V.F.A. earlier that year, Voya personnel reset the passwords for the imposters, provided temporary passwords over the phone to the imposters, and revealed the usernames associated with the respective contractor representative’s account to at least two imposters. ((Id., ¶¶ 26-27.))

Even after members of Voya’s staff discovered the unauthorized access of the web portal via the compromised contractor representative accounts, they merely reset (again) the passwords of these accounts under the incorrect assumption that password resets would kick out the currently active user from the account. ((Id., ¶¶ 29-30.)) The imposters who gained fraudulent access to the customer data left the web portal at their own discretion. ((Id., ¶ 30.)) Moreover, during the period in which the data breach occurred, additional imposters, acting as V.F.A. customers, managed to deceive Voya personnel which, in effect, compromised additional V.F.A. customer accounts. ((Id., ¶¶ 31-32.)) As a result of the series of incidents, the imposters acquired unauthorized access to the nonpublic, personal information of at least 5,600 V.F.A. customers; such information ranged from email addresses to social security numbers. ((Id., ¶ 28.)) Roughly thirteen million customers comprise the consumer base of V.F.A. ((Id., ¶ 10.))

From the facts of the case, the shortcomings of the policies and procedures utilized by V.F.A. to protect customer data become apparent. V.F.A. deferred many of its cyber-operations pertaining to the web portal to Voya. ((Id., ¶ 14.)) Voya personnel issued temporary passwords via unsecure means, such as by telephone. ((Id., ¶ 18.)) Voya personnel lacked an express mandate to review a list of phone numbers associated with past “fraudulent activity,” maintained by Voya, before handing out password resets. ((Id., ¶ 19.)) V.F.A. did not consistently verify that the computers used by contractor representatives to access the web portal were free from viruses and protected by anti-virus programs. ((Id., ¶ 20.)) V.F.A. failed to implement policies and procedures to notify existing customers of any changes made, whether authorized or unauthorized, to their accounts. ((Id., ¶ 21.)) The policies and procedures utilized by V.F.A. to react to such incidents of data and identity theft, as illustrated by the results of data breach incidents, failed due to the lack of a transparent communications system and the lack of training regarding the functions, operations, and limits of the web portal. ((Id., ¶ 22.)) And the policies and procedures utilized by V.F.A. with respect to contractor representative access to the web portal—including the mechanisms to kick out unauthorized users from the web portal—were inadequate due, at least in part, by the other aforementioned V.F.A. policies and procedures. ((Id., ¶ 14.)) Accordingly, the S.E.C. expressed that most, if not all, of the policies and procedures maintained by V.F.A. with respect to the cyber-protection of customer data, at the time of the data breach incidents, were either “deficient” or “not reasonably designed.” ((Id., ¶¶ 14-23.))

The S.E.C. held that V.F.A. “willfully” violated the Safeguards Rule. ((Id., ¶ 35.)) From the facts of the case and the insights into the flaws of the policies and procedures maintained by V.F.A. therein, the S.E.C. appeared resolute in its conclusions. The majority of the flaws associated with the policies and procedures of V.F.A. with respect to the protection of customers’ personal information appeared to contribute to the violation of the Safeguards Rule. After all, the aforementioned policies and procedures of V.F.A. that ultimately contributed to the results of the data breach incidents were “not reasonably designed,” ((Id., ¶¶ 14-23.)) meaning that V.F.A. failed to meet the reasonableness standard of the Safeguards Rule. Having devoted much space in its opinion to the reasons for why, and the details into how, V.F.A. violated the Safeguards Rule, the S.E.C. could have reached, with just that one rule, the conclusion that the company was partly responsible for failing to prevent or mitigate the data breach incidents.

However, the S.E.C., in an unprecedented move, went further by holding that V.F.A. also “willfully” violated the Identity Theft Red Flags Rule. ((Id., ¶ 36.)) Prior to this administrative proceeding, the S.E.C. had never used expressly the Identity Theft Red Flags Rule in reference to misconduct of any party within its jurisdiction since the rule’s enactment in 2013. ((Press Release, Sec. & Exch. Comm’n, SEC Charges Firm with Deficient Cybersecurity Procedures (Sept. 26, 2018).)) The S.E.C. brought the Identity Theft Red Flags Rule into the fold of its reasoning, because V.F.A. had already incorporated an Identity Theft Prevention Program pursuant to 17 C.F.R. § 248.201 since 2009. ((Voya Fin. Advisors, Inc., Exchange Act Release No. 84288, Investment Advisers Act Release No. 5048, 2018 WL 4627393, Section III, ¶ 24 (Sept. 26, 2018).)) Yet V.F.A. failed to ensure the adequate management of the Identity Theft Prevention Program by company personnel trained with the knowledge of the program and to implement significant updates to the program. ((Id., ¶ 25.)) Accordingly, the S.E.C. expressed that the V.F.A. Identity Theft Prevention Program as of the April 2016 data breach incidents was “not reasonably designed” to identify, detect, and respond to red flags associated with identity theft, ((Id.)) meaning that V.F.A. failed to meet the reasonableness standard of the Identity Theft Red Flags Rule. As a result of this case, the S.E.C. mandated V.F.A. to, among other things, comply with Regulation S-P (Safeguards Rule) and Regulation S-ID (Identity Theft Red Flags Rule) and imposed upon V.F.A. a cease-and-desist order, censure, and civil penalty of one million dollars. ((Id. at Section IV, ¶¶ A-C.))

Section IV. Conclusion

What significance might this administrative proceeding initiated by the S.E.C. against V.F.A. hold for the future? Firstly, this case further illustrates that the S.E.C. will continue to invest its time and resources in the field of cyber-space. This case was not the first, ((See, e.g., Altaba Inc., f/d/b/a Yahoo! Inc., Exchange Act Release No. 34-83096, 2018 WL 1919547 (Apr. 24, 2018).)) and certainly will not be the last, in which the S.E.C. pursued an enforcement action against a party under its jurisdiction regarding the cyber-protection of consumers’ personal information. Secondly, this case may offer a greater understanding of the extent to which a company’s policies and procedures with respect to the protection of such important nonpublic data gravely fail to meet the reasonableness standards of the Safeguards Rule. And, thirdly, this case marks the first time that the S.E.C. utilized the Identity Theft Red Flags Rule in an enforcement action against a party within its jurisdiction. ((Press Release, Sec. & Exch. Comm’n, SEC Charges Firm with Deficient Cybersecurity Procedures (Sept. 26, 2018).)) The implications of this aspect of the case affect those companies within the purview of the S.E.C. that already have, or will need to implement, an Identity Theft Prevention Program. The proper maintenance of updated Identity Theft Prevention Programs pursuant to the requirements of the Identity Theft Red Flags Rule requires the time and resources that at least some companies may not have been willing to spend in the past. And the lack of active S.E.C. enforcement of the Identity Theft Red Flags Rule prior to this case may have inadvertently incentivized companies to redirect the time and resources that may otherwise have been devoted to their respective Identity Theft Prevention Programs to other endeavors.

If this case serves as any indication, such a trend may have begun to change directions. Companies that were not exactly focused on maintaining and updating their respective Identity Theft Prevention Programs may now sense increased pressure from the S.E.C. to conform their programs to the requirements of the Identity Theft Red Flags Rule. Although they may need to dedicate additional time and resources to maintain updated Identity Theft Prevention Programs, these companies—either through the goodness of their corporate hearts or through the mandate of S.E.C. rules and regulations—will be one step closer to ensuring the integrity of the expectation of trust between businesses and their customers from the foundations of consumer data protection.