The Securities and Exchange Commission recently announced that a Des Moines-based broker-dealer and investment adviser has agreed to pay $1 million to settle allegations related to its failures in cyber security policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers. In addition to a $1 million penalty, the firm was required to hire an independent consultant for a 2 year term, who will generate reports for submission to the SEC.

Over 6 days in April 2016, individuals impersonating independent contractor representatives to Voya Financial Advisors, Inc. (VFA) called VFA’s technical support line and requested resets of 3 representatives’ passwords for web portal access. Notably, the fraudsters used phone numbers the parent company, Voya, had previously identified as associated with fraudulent activity. Nonetheless, support staff reset the passwords and provided temporary passwords over the phone.

When an actual contractor representative called support to inform them that he had received an email confirming a password change that he had not requested, VFA did not immediately terminate the intruders’ access to the system. As a result of that any other security failures, the intruders were able to access to the personally identifiable information of at least 5,600 customers.

Although there were no known unauthorized transfers from customer accounts, the SEC found that VFA’s practices violated the Safeguards Rule, which requires every BD and RIA to have written policies and procedures that address technical and physical safeguards for the protection of customer records and information. The SEC concluded that VFA’s policies and systems relating to contractor password resets, terminating web sessions in its gateway system for contractors, and identifying higher risk representatives and customer accounts for additional security measures, were not reasonably designed.

For example, VFA’s 15-minute inactivity timeouts, which applied to employee representatives accessing the web portal, was not applied to the web portal for contractor representatives. In addition, VFA’s policy requiring a user to answer security questions when logging on from a new device was easily circumvented by the intruders calling support to reset their security questions.

Bottom line: Firms are faced with cyber threats on multiple fronts every day. Many threats take the form of malware or other web or software-based attacks probing systems for weaknesses. The VFA incident, however, was relatively low tech. It involved natural persons impersonating remote independent contractor representatives over the phone. Accordingly, firms should consider assessing not only their software-based bulwarks against intrusion, but also the training and policies overseeing phone conversations and other human interactions.

Link: https://www.sec.gov/litigation/admin/2018/34-84288.pdf

The Supreme Court, by unanimous decision, has held that “whistleblower” status under the 2010 Dodd-Frank Act, with its cash award and enhanced anti-retaliation benefits, is limited to individuals who report violations to the SEC and does not include people who internally report at a company but fail to report to the SEC. The decision is likely to increase call volume on the SEC’s whistleblower hotline, as well as costs and headaches for legal and compliance personnel at regulated companies.

Although an individual who reports internally (and not to the SEC) may still get the anti-retaliation benefits afforded under the 2002 Sarbanes-Oxley Act, that individual would not be entitled to the enhanced anti-retaliation benefits (e.g., double back pay) or the potential cash payout (10-30 percent of any SEC monetary penalties) under Dodd-Frank. Accordingly, individuals with information that could lead to SEC charges are now more likely to report out to the agency than try to resolve things internally.

Consequently, compliance and legal personnel at Pubcos, RIAs, and BDs should consider reviewing their policies and procedures to ensure that they are striking the correct balance between motivating employees to report potential problems internally and not limiting an employee’s ability to report out. This is especially true given the SEC’s focus (through enforcement actions) on entities who limit such reporting by requiring employees to sign restrictive confidentiality agreements that may have the effect of “chilling” an employee’s desire to report out.

Here is a link to the Supreme Court’s decision:

Click to access 16-1276_b0nd.pdf