The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

SEC Enforces Little Known Identity Theft Rule

by Chris Brook on Thursday October 18, 2018

Contact Us
Free Demo
Chat

The SEC settled a case with the help of a little known 2013 regulation, the Identity Theft Red Flags Rule, for the first time two weeks ago. The rule requires financial institutions to implement a program to detect, prevent, and mitigate identity theft.

Five years after it was first adopted, the Securities and Exchange Commission has finally censured an organization for failing to adhere to a rule that requires companies implement a written program to detect the warning signs of identity theft in day-to-day operations.

The SEC hit Voya Financial Advisors, the investment advisor and broker dealer arm of Voya Financial, with a $1M fine two weeks ago. The firm, which didn’t admit or deny the charges but is settling, enabled hackers to impersonate independent advisers and access sensitive customer data in 2016.

The rule, the Identity Theft Red Flags Rule, went into compliance nearly five years ago, on November 20, 2013 after being adopted by both the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC). This is its first enforcement action involving it however.

According to a SEC cease-and-desist order published in late September, attackers were able to impersonate VFA contractor representatives over six days in April 2016 and gain access to web portals used by the firm. Once they secured access - VFA supplied the individuals with password resets and even usernames in some scenarios - the attackers had access to the personally identifiable information of 5,600 customers. While there were no known transfers of funds or securities from the accounts, customers' names, email addresses, dates of birth, addresses, and the last four digits of their Social Security numbers were exposed. The SEC claims the hackers were also able to access to other data, including account balances, account documents, tax documents, and other account information. Once inside, the hackers were also able to change the emails and physical addresses associated with customer profiles without triggering fraud alerts.

For what it’s worth VFA has had an Identity Theft Prevention Program in place; it just hadn't been updated since 2009, according to the SEC. To compound risk further no one from the company's board of directors or its management oversaw the program, something stipulated by the Identity Theft Red Flags Rule.

The settlement closes the book on a first of its kind case. While the $1M fine is relatively small potatoes, it should serve as a warning shot. It’s unlikely the Commission will be as forgiving the next time around.

"This SEC action highlights the importance of conducting regular reviews of cybersecurity and incident response protocols, assessing whether policies are in fact being followed, and ensuring proper training," Sabastian V. Niles, Marshall L. Miller, and Jeohn Salone Favors, a trio of attorneys with the New York-based firm Wachtell, Lipton, Rosen & Katz, wrote Friday in a Harvard Law School blog.

The SEC has hardened its stance on cybersecurity issues over the last several years; if financial firms were unaware of the rule, they should ensure they’re compliant and have an identity theft program designed to safeguard sensitive data in place.

The Commission updated its cybersecurity disclosure guidance earlier this year, asking companies to, “take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion," and to “avoid the appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.”

Securities and Exchange Commission building image via glass_window's Flickr photostream, Creative Commons

Tags: Industry Insights, Financial Services

Recommended Resources


  • An overview of the FFIEC CAT
  • How to use the CAT to identify areas of risk
  • How Digital Guardian helps reduce these risks
  • A compliance timeline for all 18 provisions
  • Financial services case studies
  • How Digital Guardian can help

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.