SEC takes action for breach of ‘red flags rule’

30 October 2018

US broker-dealer Voya Financial Advisors (Voya) has agreed a USD 1 million settlement with the Securities and Exchange Commission (SEC) over charges of deficient cyber security. The settlement is the first SEC action for a violation of the Identity Theft Red Flags Rule.

The settlement relates to a 2016 data breach, in which fraudsters accessed personal identifiable information of at least 5,600 Voya customers. According to the SEC, a person impersonating a contractor representative called a Voya technical support line in 2016 to successfully request a password reset, which gave criminals access to a proprietary web portal holding customer data. However, the impersonator used phone numbers that Voya had already identified as associated with previous fraudulent activity.

The SEC alleges that Voya breached its Safeguards Rule, which requires a regulated entity to protect customer records and prevent unauthorised access. It also says Voya breached the Identity Theft Red Flags Rule, which requires investment firms to maintain an up-to-date identity theft prevention program (ITPP) that uses “red flags” to warn that hackers might be trying to steal customer information or identities. The SEC said the case is its first enforcement action charging violations of the Identity Theft Red Flags Rule to protect customers from identity theft.

Although Voya had established a written Identity Theft Prevention Program in 2009, it had not reviewed and updated it in response to changes in risks to its customers. Voya also failed to include reasonable policies and procedures to respond to identity theft red flags, such as those that were detected during the April 2016 intrusion.

Subscribe to our  Latest Cyber Decoder newsletter


According to law firm Katten, the settlement emphasises just how seriously the SEC treats firms’ obligations relating to cyber security procedures. In particular, the SEC expects an appropriate and prompt response to red flags. Failure to identify and respond promptly to red flags may potentially create significant regulatory risks, in addition to the reputational and liability risks from the firm’s customers, Katten says.

The settlement sends a clear warning to financial firms and boards of directors that they need to get their cyber security programmes in shape or face the consequences, says law firm Patterson Belknap Webb & Tyler. The law firm notes that Voya’s ITPP “languished” in recent years and fell far below the requirements of the rule. It also was not approved by the firm’s board or senior leaders, as is required by the rule.

The regulatory action against Voya highlights the need for financial services firms to have appropriate systems and procedures in place to prevent fraud, and the need to regularly review such processes. Red flag procedures are part of basic cyber hygiene and are in the interest of banks and financial advisors to implement.

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on