Cybersecurity SEC Enforcement Action On 9/26/2018 the Securities and Exchange Commission charged Voya Financial Advisors, Inc. (‘VFA”), with violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft.
The SEC’s Order states that, over a six-day period in 2016, cyber intruders impersonated VFA contractors by calling VFA’s support line and requesting that the contractors’ passwords be reset. The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers. The intruders then used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers. VFA failed to terminate the intruders’ access. VFA also failed to apply its procedures to the systems used by its independent contractors, which was comprised largely of VFA’s workforce.
Without admitting or denying the SEC’s findings, VFA agreed to be censured and pay a $1 million penalty, and will retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule and related regulations.
Although VFA adopted a written Identity Theft Prevention Program, VFA violated the Identity Theft Red Flags Rule because it did not review and update the program in response to changes in risks to its customers. Additionally, VFA did not provide adequate training to its employees and contractors regarding the Identity Theft Prevention Program. Further, the Identity Theft Prevention Program did not include reasonable policies and procedures to respond to identity theft red flags.
Red Flag Rule The Identity Theft Red Flags Rule requires certain financial institutions and creditors, including broker-dealers and investment advisers registered or required to be registered with the Commission, to develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. An Identity Theft Prevention Program must include reasonable policies and procedures to:
identify relevant red flags for the covered accounts and incorporate them into the Identity Theft Prevention Program; detect the red flags that have been incorporated into the Identity Theft Prevention Program; respond appropriately to any red flags that are detected pursuant to the Identity Theft Prevention Program; and ensure that the Identity Theft Prevention Program is updated periodically to reflect changes in risks to customers from identity theft.
Identifying Red Flags To identify Red Flags, firms must consider risk factors including but not limited to: The methods in which the firm opens accounts; The methods in which the firm grants access to accounts; Any previous experiences with identity theft; Alerts, notifications or warnings from a credit reporting agency; Suspicious documents; The social security number, address, or telephone number provided by the applicant or customer is identical to that of another applicant or customer; Suspicious personal identifying information; Any unusual use of, or other suspicious activity related to, a covered account and; and Notification from clients, victims of identity theft, law enforcement authorities or other sources regarding possible identity theft.
Social Engineering Voya was compromised by a well-executed social engineering based attack or, malicious actors exploiting human behavior. While public perception is often that malicious actors start with a highly technical attack vector to gain access to a victim’s network, social engineering is actually the most common attack vector. Typically, after gaining access to a victim’s internal resources through social engineering, malicious actors will move laterally within a victim’s network. Firewalls and other intrusion prevention methods can be ineffective if employees are tricked into clicking on a malicious link they think came from a Facebook friend or LinkedIn connection. Whatever sophisticated protections a company puts in place, it must implement the right security policies and processes, measure their effectiveness and continuously improve. Otherwise, a crafty malicious actor can continue to adapt his/her socially engineering attacks around security measures. People inherently want to trust and that's exactly what a successful social engineering attack exploits. If someone sends you an e-mail and it says that it's from another co-worker, you will likely trust it if it relates to something common to you and specific. Once that trust is established, you will have less reservations about clicking on links or images in the body of the e-mail. Similarly, if a phone caller has a credible explanation for needing certain information or systems access, then your tendency will be to trust it since most of the time that request will ultimately be legitimate. Most want to be kind and courteous and are trained to be compliant, especially in a work environment. This is heightened by a sense of frustration with a seemingly bureaucratic process or an expression of urgency….who isn’t busy or frustrated by safety bumps that 95% of the time are not necessary? Malicious actors will often do weeks and months of background recon work to familiarize them with your workplace before stepping foot in your door, phishing your co-workers or making a phone call. Typical preparation might include finding a company phone list or org chart and researching employees on social networking sites like LinkedIn or Facebook. They know time is not on their side and any request will always demand a prompt response. This is the trap that VFA’s contractors fell into…
Regulatory Focus on Ongoing Review and Assessment of Information Security Policies As it has for the past three years, in 2018, SEC’s Office of Compliance, Inspections and Examinations (OCIE) announced that it would include cybersecurity as an exam priority and allocated staff for this purpose. Firms and their employees have a responsibility to implement their cybersecurity policies and procedures and an obligation for ongoing continued monitoring. Aside from adequate technological systems, firms must provide training to both employees and contractors and stress the importance of security for a strong defense against data breaches and fraud. As noted above, from a security standpoint, independent contractors and other third-party vendors are the firm’s responsibility. Cybersecurity policies and procedures must be reasonably designed to fit your specific business models. The SEC alleged that VFA violated the Safeguards Rule because its policies and procedures to protect customer information and to prevent and respond to cybersecurity incidents were not reasonably designed to meet these objectives.
Conclusion The VFA action is yet another reminder by the SEC for firms to remain vigilant in their information security program, continue to actively assess not only their risk, but their third party provider risk, and implement controls that are appropriately designed to mitigate this risk.