Takeaways from the Voya Breach and Settlement (Order distributed on September 26, 2018)

Voya Financial Services, Inc. (“VFA”)

Similar to past enforcements and, notably, the 2015 action and settlement with R.T. Jones, the SEC has invoked Rule 30(a) of Regulation S-P (the “Safeguards Rule”) in a broad swipe at a firm’s weak cybersecurity practices and lack of specific policies and procedures.

Unfortunately and as promised via recent Examination Priority letters, the SEC turned the screws hard on Voya with the Action resulting in a million-dollar settlement in a case where there is no evidence of misuse or the actions taken by Black Hats concerning exposed data. Granted, we are talking about a dual registrant and we know there is no regulatory love loss here, however we would rather see the SEC assume a collaborative posture with respect to breach. Otherwise, we are driving down a road where there will be less transparency in risk assessment and a greater incentive to manage unauthorized access rather than share information.

In sum, the Voya breach involved fraudsters who impersonated representatives requesting password resets from Tech Support to obtain access to a proprietary client portal used for brokers and advisers. Tech Support provided passwords for access, which defeated multi-factor authentication by resetting the accounts. Voya made some mistakes in not reacting aggressively enough to a representative reporting that he had received notification of a “password reset” but had not requested one. There are other notable failures here, but we are attempting to distill this quagmire into usable information for clients.

What’s new here is the first invocation of the Identity Theft Red Flags Rule, which is consistent with the SEC’s approach of permitting a few years for implementation before dropping the hammer.

The details of the breach at Voya Financial Advisers, Inc. are complex, and we are attempting to boil this down to both relevant regulatory issues and actionable IT responses.

  • The SEC continues to view Cyber-enforcement through the lens of the “Safeguards Rule” and the failure to implement policies and procedures to protect client information. It is not enough to just “do” or have solid procedures in place. You must have policies in areas of determined risk.
  • It is time to review your Identity Theft Prevention Program (ITPP) as required to be implemented for those firm’s subject to the Red Flags Rule. Audit of Red Flags policies and procedures must now be assumed as part of any IT security review and in the future to be part of the regular exam process.
  • The relationship between many forms of breach and attempted breach to Identity Theft must now be extended to Incident Response practices, logging, and an active program which responds to identified risks.
  • Training for Identity Theft and IT Security, in general, must be specific and include all employees. The SEC noted, with respect to Voya, that employees involved in the breach failed to participate in Training – in fact, training was “sparsely attended.” Footnote 7 contained in the Order is worth reviewing to understand that the SEC will take training seriously as represented in previous guidance.
  • Intrusions at Voya, which occurred over 6 days in April 2016 were preceded by other fraud attempts and activities. Take serious action on known attempts and treat these as a shot across the bow. You are under attack and need to assume more attempts are pending.
  • The Voya breach surrounds practices for a “proprietary portal” which we would consider high risk. The majority of advisers who do not develop proprietary portals should translate findings and corresponding controls to any cloud-based or third-party portals used in conjunction with client information. Review security controls, multi-factor authentication, timeouts, lockouts, practices concerning password resets, User rights, vendor due diligence, and policies and procedures for all portals connecting to and containing client or employee Personal Identifiable Information.
  • The SEC also noted issues concerning persons working remotely. Given recent US-CERT and FBI Alerts concerning Remote Access Software, and the SEC’s look at remote offices and practices surrounding remote sessions of the Voya portal, we suggest advisers review policies and procedures for remote and home office use and practices for access to critical services. We believe the remote/home office attack surface is a future focal point for regulators.
  • The US-CERT has also issued Alerts regarding common network and ISP devices which may more likely be found in remote/office environments.

Informative References:

The Voya breach involves some failures of communication concerning initial breach attempts which could have been acted upon to prevent the fraud which took place in April of 2016. In addition to cultivating open communications on breach, attempted and real, advisers should translate practices for the proprietary portal to their own cloud-based and third-party portals.

We’d recommend reviewing the following documents if you’ve not done so already and discussing them at your next IT committee meeting.

Voya Settlement
https://www.sec.gov/litigation/admin/2018/34-84288.pdf

R.T. Jones Settlement
https://www.sec.gov/litigation/admin/2015/ia-4204.pdf

US-CERT Alert for RDP Exploitation
https://www.us-cert.gov/ncas/current-activity/2018/09/28/IC3-Issues-Alert-RDP-Exploitation

US-CERT Securing Common Network Devices.
https://www.us-cert.gov/ncas/tips/ST18-001