The Securities and Exchange Commission recently announced that a Des Moines-based broker-dealer and investment adviser has agreed to pay $1 million to settle allegations related to its failures in cyber security policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers. In addition to a $1 million penalty, the firm was required to hire an independent consultant for a 2 year term, who will generate reports for submission to the SEC.
Over 6 days in April 2016, individuals impersonating independent contractor representatives to Voya Financial Advisors, Inc. (VFA) called VFA’s technical support line and requested resets of 3 representatives’ passwords for web portal access. Notably, the fraudsters used phone numbers the parent company, Voya, had previously identified as associated with fraudulent activity. Nonetheless, support staff reset the passwords and provided temporary passwords over the phone.
When an actual contractor representative called support to inform them that he had received an email confirming a password change that he had not requested, VFA did not immediately terminate the intruders’ access to the system. As a result of that any other security failures, the intruders were able to access to the personally identifiable information of at least 5,600 customers.
Although there were no known unauthorized transfers from customer accounts, the SEC found that VFA’s practices violated the Safeguards Rule, which requires every BD and RIA to have written policies and procedures that address technical and physical safeguards for the protection of customer records and information. The SEC concluded that VFA’s policies and systems relating to contractor password resets, terminating web sessions in its gateway system for contractors, and identifying higher risk representatives and customer accounts for additional security measures, were not reasonably designed.
For example, VFA’s 15-minute inactivity timeouts, which applied to employee representatives accessing the web portal, was not applied to the web portal for contractor representatives. In addition, VFA’s policy requiring a user to answer security questions when logging on from a new device was easily circumvented by the intruders calling support to reset their security questions.
Bottom line: Firms are faced with cyber threats on multiple fronts every day. Many threats take the form of malware or other web or software-based attacks probing systems for weaknesses. The VFA incident, however, was relatively low tech. It involved natural persons impersonating remote independent contractor representatives over the phone. Accordingly, firms should consider assessing not only their software-based bulwarks against intrusion, but also the training and policies overseeing phone conversations and other human interactions.