Cybersecurity Update: First SEC Enforcement Action Involving the Identity Theft Red Flags Rule Results in Settlement
Download PDF- Wyatt, Bradley J.
- Industry Alerts
Want to get our alerts?
Click “Subscribe Now” to get attorney insights on the latest developments in a range of services and industries.
On September 26, 2018, the Securities and Exchange Commission announced that a settlement was reached in its first enforcement action involving the Identity Theft Red Flags Rule (the “Red Flags Rule”). The Red Flags Rule was designed to protect confidential customer information and customers from the risk of identity theft. The Red Flags Rule requires “financial institutions” and some “creditors” to conduct a periodic risk assessment to determine if they have “covered accounts,” and to develop, implement, and administer, an identity theft prevention program that include certain enumerated elements concerning the threat of identity theft.
This case began when the Division of Enforcement brought charges against Voya Financial Advisors Inc. (“VFA”) for violating the Red Flags Rule and the Safeguards Rule by failing to correct weaknesses in its cybersecurity policies and procedures, which led to a fraudulent activity and a cyber-intrusion. Notably, several of VFA’s contributing cybersecurity policy deficiencies were previously identified during similar fraudulent activity. Also, VFA did not to apply its cybersecurity procedures to the systems used by its independent contractors, which is particularly problematic because independent contractors are the largest segment of VFA’s workforce. VFA must now pay $1 million to settle charges related to its failures in cybersecurity policies and procedures.
This enforcement action demonstrates the SEC Enforcement Division’s heightened focus on identifying deficiencies in the cybersecurity policies and procedures of brokers and investment advisers. In light of the uptick in recently reported network intrusions, cyber incidents, and thefts of electronic data, it is imperative that brokers and investment advisers adopt and implement cybersecurity procedures that are: (1) reasonably designed to fit their specific business models; and (2) comply with both the Safeguards Rule and the Identity Theft Red Flags Rule.
For more information regarding the Red Flags Rule, the Safeguards Rule, and how to incorporate compliant programs into the daily operations of your business, please contact the Dickinson Wright attorneys listed below.
The full text of the Securities and Exchange Commission’s Press Release may be accessed here.
This client alert is published by Dickinson Wright PLLC to inform our clients and friends of important developments in the field of Securities, Data Privacy and Cybersecurity law. The content is informational only and does not constitute legal or professional advice. We encourage you to consult a Dickinson Wright attorney if you have specific questions or concerns relating to any of the topics covered in here.
This case began when the Division of Enforcement brought charges against Voya Financial Advisors Inc. (“VFA”) for violating the Red Flags Rule and the Safeguards Rule by failing to correct weaknesses in its cybersecurity policies and procedures, which led to a fraudulent activity and a cyber-intrusion. Notably, several of VFA’s contributing cybersecurity policy deficiencies were previously identified during similar fraudulent activity. Also, VFA did not to apply its cybersecurity procedures to the systems used by its independent contractors, which is particularly problematic because independent contractors are the largest segment of VFA’s workforce. VFA must now pay $1 million to settle charges related to its failures in cybersecurity policies and procedures.
This enforcement action demonstrates the SEC Enforcement Division’s heightened focus on identifying deficiencies in the cybersecurity policies and procedures of brokers and investment advisers. In light of the uptick in recently reported network intrusions, cyber incidents, and thefts of electronic data, it is imperative that brokers and investment advisers adopt and implement cybersecurity procedures that are: (1) reasonably designed to fit their specific business models; and (2) comply with both the Safeguards Rule and the Identity Theft Red Flags Rule.
For more information regarding the Red Flags Rule, the Safeguards Rule, and how to incorporate compliant programs into the daily operations of your business, please contact the Dickinson Wright attorneys listed below.
The full text of the Securities and Exchange Commission’s Press Release may be accessed here.
This client alert is published by Dickinson Wright PLLC to inform our clients and friends of important developments in the field of Securities, Data Privacy and Cybersecurity law. The content is informational only and does not constitute legal or professional advice. We encourage you to consult a Dickinson Wright attorney if you have specific questions or concerns relating to any of the topics covered in here.
Related Practices
Contacts
Recent Insights
- Conferences 2017 Midwest Securities Law Institute
- November 12, 2024 In the News Michael Caine and Rocio Palomo Join Dickinson Wright Austin Office as Members
- October 25, 2024 Podcasts Daniel Cotter was recently interviewed on the Leadership in Law podcast segment titled “Cybersecurity and Your Law Firm & Team.”
- September 13, 2024 Media Mentions Greg Ewing was recently quoted in the American Banker article, "AI use in customer service faces legal challenges that could hit banks,”
- August 13, 2024 In the News Reuters recently published an article by Greg Ewing titled, "But really, what cybersecurity requirements and standards does my company need to follow and why?"
- August 02, 2024 In the News Dan Cotter was recently interviewed on the Someone You Should Know podcast with Stuart Sax.
- June 17, 2024 In the News The Federation of Regulatory Counsel published Daniel Cotter's article, "Illinois Legislature passes major reform to BIPA."
- May 13, 2024 Industry Alerts Better Call Your Privacy Attorney: 3 New State Privacy Laws Begin July 1, 2024
- April 16, 2024 Video Minutes on the Matter with Daniel Cotter: History of the Biometric Information Privacy Act