The Securities and Exchange Commission just hit an Iowa financial firm for poor cybersecurity, giving us another example of the policies and procedures firms should be implementing if they want to stay on the right side of this risk.
The firm, Voya Financial Advisors, agreed to pay a $1 million penalty (without admitting any wrongdoing, naturally). The SEC had charged VFA with violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft. This is the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule.
What happened? According to the SEC complaint, VFA used an online portal to let independent sales reps access customer data. The portal itself was maintained by VFA’s parent, Voya Financial; the sales reps were independent contractors rather than VFA employees.
VFA ran that system from 2013 to 2017. For six days in April 2016, hackers called VFA’s support line three times pretending to be contracted sales reps, and duped VFA into resetting the contractors’ passwords. Once the hackers had those reset passwords, they logged into VFA’s systems and absconded with the personal data of 5,600 VFA customers. The hackers also used the customer data to create new customer profiles and steal sensitive documents from three individuals.
It gets worse. After the first bogus phone call to reset contractors’ passwords, the legitimate contractor called VFA to warn the firm that he hadn’t requested a password reset. VFA tried to address that incident, but employees still fell for the second and third bogus calls. And two of the three calls came from phone numbers VFA had previously flagged a suspicious.
Where the Violation Happened
The Safeguards Rule requires broker-dealers and registered investment advisers to have written policies and procedures to protect customer records and information. What those policies and procedures must accomplish is worth quoting directly from the SEC, with emphasis added by me:
Those policies and procedures must be reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
VFA had already encountered this particular scam previously, including the same questionable phone numbers. So what might have been a reasonably designed policy then, at the time of the prior attack, would no longer be a reasonably designed policy now, during a second attack.
The Identity Theft Red Flags Rule says a company’s cybersecurity policies and procedures should be “updated periodically to reflect changes in risks to customers from identity theft.” VFA did adopt an Identity Theft Program in 2009, but hadn’t updated it since then — including through the hackers’ attempts to steal data.
This is an important point. The cybersecurity risk itself had not changed: hackers, posing as contractors, calling the service line looking to reset passwords. But VFA’s awareness of the risk had changed, so VFA could have revised its policies and procedures to make them better designed for the risk VFA knew it had. That’s what VFA failed to do.
This enforcement action underlines the importance of regular risk assessments — ones that incorporate any new understanding of a risk that you’ve gained, to assure that your control design stays current with the threat. That’s what the Safeguard and Identity Theft rules require.
‘Reasonable’ Cybersecurity Procedures
How much better designed should controls be? What is “reasonable” improvement to control design as your understanding of a risk evolves? That depends on each firm’s circumstances.
One example: a firm could require its sales reps to use two-factor authentication for password resets. “Thank you for calling. We’re going to text a four-digit code to the cell phone we have on record for you. Read that code back to us before we send you a reset email.” That sort of thing. (As we’ve noted previously, two-factor authentication is an important security feature companies aren’t using nearly enough.)
While VFA did use two-factor authentication for employees, it did not use TFA for contractors who were calling to reset passwords. Which brings us to another dimension this case calls out: the challenge of third-party oversight and responsibility in modern corporate enterprises.
This enforcement action underlines the importance of regular risk assessments — ones that incorporate any new understanding of a risk that you’ve gained, to assure that your control design stays current with the threat.
For example, the sales reps were independent contractors who accessed VFA data remotely, but VFA had no controls to terminate those sessions if, say, the contractor had been inactive for 15 minutes. Then again, Voya Financial maintained the online portal itself, so VFA had no cybersecurity team of its own who could argue for stronger policies more forcefully. To a certain extent, VFA was caught in between two other third parties, rather than part of one larger organization that might have perceived and addressed cybersecurity more holistically.
And some of this predicament clearly was VFA’s own fault, because its written policies and procedures weren’t complete. For example, VFA kept a list of questionable phone numbers connected to hackers (good), and employees referred to that list regularly (better), but VFA had no written policy that employees should use that list (bad).
SEC chairman Jay Clayton often says cybersecurity is one of his top priorities — and while he doesn’t see much sense in imposing monetary penalties simply because a breach happens, he is open to penalties for firms that don’t stay current with their risks.
“Stay current” means understanding your regulatory requirements, and reassessing your controls based upon new cybersecurity risk information. That didn’t happen at VFA, so here we are.