Cybersecurity Update: First SEC Enforcement Action Involving the Identity Theft Red Flags Rule Results in Settlement
Download PDF- Wyatt, Bradley J.
- Industry Alerts
On September 26, 2018, the Securities and Exchange Commission announced that a settlement was reached in its first enforcement action involving the Identity Theft Red Flags Rule (the “Red Flags Rule”). The Red Flags Rule was designed to protect confidential customer information and customers from the risk of identity theft. The Red Flags Rule requires “financial institutions” and some “creditors” to conduct a periodic risk assessment to determine if they have “covered accounts,” and to develop, implement, and administer, an identity theft prevention program that include certain enumerated elements concerning the threat of identity theft.
This case began when the Division of Enforcement brought charges against Voya Financial Advisors Inc. (“VFA”) for violating the Red Flags Rule and the Safeguards Rule by failing to correct weaknesses in its cybersecurity policies and procedures, which led to a fraudulent activity and a cyber-intrusion. Notably, several of VFA’s contributing cybersecurity policy deficiencies were previously identified during similar fraudulent activity. Also, VFA did not to apply its cybersecurity procedures to the systems used by its independent contractors, which is particularly problematic because independent contractors are the largest segment of VFA’s workforce. VFA must now pay $1 million to settle charges related to its failures in cybersecurity policies and procedures.
This enforcement action demonstrates the SEC Enforcement Division’s heightened focus on identifying deficiencies in the cybersecurity policies and procedures of brokers and investment advisers. In light of the uptick in recently reported network intrusions, cyber incidents, and thefts of electronic data, it is imperative that brokers and investment advisers adopt and implement cybersecurity procedures that are: (1) reasonably designed to fit their specific business models; and (2) comply with both the Safeguards Rule and the Identity Theft Red Flags Rule.
For more information regarding the Red Flags Rule, the Safeguards Rule, and how to incorporate compliant programs into the daily operations of your business, please contact the Dickinson Wright attorneys listed below.
The full text of the Securities and Exchange Commission’s Press Release may be accessed here.
This client alert is published by Dickinson Wright PLLC to inform our clients and friends of important developments in the field of Securities, Data Privacy and Cybersecurity law. The content is informational only and does not constitute legal or professional advice. We encourage you to consult a Dickinson Wright attorney if you have specific questions or concerns relating to any of the topics covered in here.
This case began when the Division of Enforcement brought charges against Voya Financial Advisors Inc. (“VFA”) for violating the Red Flags Rule and the Safeguards Rule by failing to correct weaknesses in its cybersecurity policies and procedures, which led to a fraudulent activity and a cyber-intrusion. Notably, several of VFA’s contributing cybersecurity policy deficiencies were previously identified during similar fraudulent activity. Also, VFA did not to apply its cybersecurity procedures to the systems used by its independent contractors, which is particularly problematic because independent contractors are the largest segment of VFA’s workforce. VFA must now pay $1 million to settle charges related to its failures in cybersecurity policies and procedures.
This enforcement action demonstrates the SEC Enforcement Division’s heightened focus on identifying deficiencies in the cybersecurity policies and procedures of brokers and investment advisers. In light of the uptick in recently reported network intrusions, cyber incidents, and thefts of electronic data, it is imperative that brokers and investment advisers adopt and implement cybersecurity procedures that are: (1) reasonably designed to fit their specific business models; and (2) comply with both the Safeguards Rule and the Identity Theft Red Flags Rule.
For more information regarding the Red Flags Rule, the Safeguards Rule, and how to incorporate compliant programs into the daily operations of your business, please contact the Dickinson Wright attorneys listed below.
The full text of the Securities and Exchange Commission’s Press Release may be accessed here.
This client alert is published by Dickinson Wright PLLC to inform our clients and friends of important developments in the field of Securities, Data Privacy and Cybersecurity law. The content is informational only and does not constitute legal or professional advice. We encourage you to consult a Dickinson Wright attorney if you have specific questions or concerns relating to any of the topics covered in here.
Related Services
Contacts
Recent Insights
- Conferences 2017 Midwest Securities Law Institute
- January 13, 2021 In the News Sara Jodka Earns CIPP/E Certification from the International Association of Privacy Professionals
- November 23, 2020 Industry Alerts Canadian Data Privacy Laws Are Changing. Is Your Business Ready to Keep Up?
- November 13, 2020 Industry Alerts While the Nation Focused on the Presidential Race, California Expanded Its Privacy Laws and “Yes” Non-California Businesses Are Likely Impacted
- April 2020 Industry Alerts COVID-19 Poses Increased Cybersecurity Risks to Employers and Businesses
- March 11, 2020 Media Mentions Sara Jodka Quoted by The Journal of Cyber Policy on Cyberinsecurity
- February 2020 Media Mentions Sara Jodka Discusses Facebook’s Argument Against the California Consumer Privacy Act with Consumer Affairs
- December 4, 2019 Webinars The CCPA Update: What the Amendments and the Attorney General's Regulations Really Mean for Your Business
- October 2019 Media Mentions Sara Jodka Discusses Cyber Insurance with CreditCards.com