UNITED STATES OF AMERICABefore theSECURITIES AND EXCHANGE COMMISSIONSECURITIES EXCHANGE ACT OF 1934Release No. 84288 / September 26, 2018INVESTMENT ADVISERS ACT OF 1940Release No. 5048 / September 26, 2018ADMINISTRATIVE PROCEEDINGFile No. 3-18840In the Matter ofVoya Financial Advisors, Inc.,Respondent.ORDER INSTITUTING ADMINISTRATIVEAND CEASE-AND-DESIST PROCEEDINGSPURSUANT TO SECTIONS 15(b) AND 21COF THE SECURITIES EXCHANGE ACT OF1934, AND SECTIONS 203(e) AND 203(k) OFTHE INVESTMENT ADVISERS ACT OF1940, MAKING FINDINGS, AND IMPOSINGREMEDIAL SANCTIONS AND A CEASEAND-DESIST ORDERI.The Securities and Exchange Commission (the “Commission”) deems it appropriate and inthe public interest that public administrative and cease-and-desist proceedings be, and hereby are,instituted pursuant to Sections 15(b) and 21C of the Securities Exchange Act of 1934 (the“Exchange Act”), and Sections 203(e) and 203(k) of the Investment Advisers Act of 1940 (the“Advisers Act”), against Voya Financial Advisors, Inc. (“VFA” or “Respondent”).II.In anticipation of the institution of these proceedings, Respondent has submitted an Offerof Settlement (the “Offer”) which the Commission has determined to accept. Solely for thepurpose of these proceedings and any other proceedings by or on behalf of theCommission, or to which the Commission is a party, and without admitting or denying the findingsherein, except as to the Commission’s jurisdiction over it and the subject matter of theseproceedings, which are admitted, Respondent consents to the entry of this Order InstitutingAdministrative and Cease-and-Desist Proceedings Pursuant to Sections 15(b) and 21C of theExchange Act, and Sections 203(e) and 203(k) of the Advisers Act, Making Findings, andImposing Remedial Sanctions and a Cease-and-Desist Order (“Order”), as set forth below.
III.On the basis of this Order and Respondent’s Offer, the Commission finds that:Summary1.These proceedings arise out of VFA’s failure to adopt written policies andprocedures reasonably designed to protect customer records and information, in violation of Rule30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”), and VFA’s failure todevelop and implement a written Identity Theft Prevention Program as required by Rule 201 ofRegulation S-ID (17 C.F.R. § 248.201) (the “Identity Theft Red Flags Rule”).2.VFA is a dually registered broker-dealer and investment adviser. From at least2013 through October 2017 (the “relevant period”), VFA gave its independent contractorrepresentatives1 (“contractor representatives”) access to its brokerage customer and advisory client(hereinafter, “customer”) information through a proprietary web portal. Through the portal, thecontractor representatives accessed the personally identifiable information (“PII”) of VFAcustomers and managed the customers’ brokerage accounts. The portal was serviced andmaintained by VFA’s parent company, Voya Financial, Inc. (“Voya”). The contractorrepresentatives generally used their own IT equipment and their own networks to access the portal.Voya’s service call centers serviced support calls from VFA’s customers and VFA’s contractorrepresentatives.3.Over six days in April 2016, one or more persons impersonating VFA contractorrepresentatives called VFA’s technical support line and requested a reset of three representatives’passwords for the web portal used to access VFA customer information, in two instances usingphone numbers Voya had previously identified as associated with prior fraudulent activity. Theprior activity also involved attempts to impersonate VFA contractor representatives in calls toVoya’s technical and customer support lines. Voya’s technical support staff reset the passwordsand provided temporary passwords over the phone, and on two of the three occasions, they alsoprovided the representative’s username.4.Three hours after the first fraudulent reset request, the targeted contractorrepresentative notified a technical support employee that he had received an email confirmingthe password change, but he had not requested such a change. Although VFA took certain stepsto respond to the intrusion, those steps did not prevent the intruders from obtaining passwordsand gaining access to VFA’s portal by impersonating two additional representatives over thenext several days. Nor did VFA terminate the intruders’ access to the three representatives’1The independent contractor representatives were associated persons of VFA who were licensed as registeredrepresentatives or otherwise qualified to effect transactions in securities on behalf of VFA, and some of them werealso investment adviser representatives of VFA. As noted in Books and Records Requirements for Brokers andDealers Under the Securities Exchange Act of 1934, Exchange Act Release No. 44992 (Oct. 26, 2001) 66 FR 55817,55820 n.18 (Nov. 1, 2001), “The Commission has consistently taken the position that independent contractors (whoare not themselves registered as broker-dealers) involved in the sale of securities on behalf of a broker-dealer are‘controlled by’ the broker-dealer, and, therefore, are associated persons of the broker-dealer.”2
accounts due to deficient cybersecurity controls and an erroneous understanding of the operationof the portal.5.The intruders used the VFA contractor representatives’ usernames and passwords tolog in to the portal and gain access to PII for at least 5,600 of VFA’s customers, and subsequentlyto obtain account documents containing PII of at least one Voya customer. The intruders alsoused customer information to create new Voya.com customer profiles, which gave them accessto PII and account information of two additional customers. There have been no knownunauthorized transfers of funds or securities from VFA customer accounts as a result of theattack.6.The Safeguards Rule requires every broker-dealer and every investment adviserregistered with the Commission to adopt written policies and procedures that addressadministrative, technical and physical safeguards for the protection of customer records andinformation. Those policies and procedures must be reasonably designed to: (1) insure thesecurity and confidentiality of customer records and information; (2) protect against anyanticipated threats or hazards to the security or integrity of customer records and information;and (3) protect against unauthorized access to or use of customer records or information thatcould result in substantial harm or inconvenience to any customer.7.VFA violated the Safeguards Rule because its policies and procedures to protectcustomer information and to prevent and respond to cybersecurity incidents were not reasonablydesigned to meet these objectives. Among other things, VFA’s policies and procedures withrespect to resetting VFA contractor representatives’ passwords, terminating web sessions in itsproprietary gateway system for VFA contractor representatives, identifying higher-riskrepresentatives and customer accounts for additional security measures, and creation andalteration of Voya.com customer profiles, were not reasonably designed. In addition, a numberof VFA’s cybersecurity policies and procedures were not reasonably designed to be applied to itscontractor representatives.8.The Identity Theft Red Flags Rule requires certain financial institutions andcreditors, including broker-dealers and investment advisers registered or required to be registeredwith the Commission, to develop and implement a written Identity Theft Prevention Programthat is designed to detect, prevent, and mitigate identity theft2 in connection with the opening of acovered account or any existing covered account.3 An Identity Theft Prevention Program mustinclude reasonable policies and procedures to: identify relevant red flags for the coveredaccounts and incorporate them into the Identity Theft Prevention Program; detect the red flagsthat have been incorporated into the Identity Theft Prevention Program; respond appropriately to2The rule defines “identity theft” as a fraud committed or attempted using the identifying information of anotherperson without authority. See 17 C.F.R. § 248.201(b)(9).3The rule defines a “covered account” to include an account that a broker-dealer or investment adviser offers ormaintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiplepayments or transactions, such as a brokerage account with a broker-dealer. See 17 C.F.R. § 248.201(b)(3).3
any red flags that are detected pursuant to the Identity Theft Prevention Program; and ensure thatthe Identity Theft Prevention Program is updated periodically to reflect changes in risks tocustomers from identity theft.9.Although VFA adopted a written Identity Theft Prevention Program in 2009, VFAviolated the Identity Theft Red Flags Rule because it did not review and update the Identity TheftPrevention Program in response to changes in risks to its customers or provide adequate training toits employees. In addition, the Identity Theft Prevention Program did not include reasonablepolicies and procedures to respond to identity theft red flags, such as those that were detected byVFA during the April 2016 intrusion.Respondent10.VFA is a Minnesota corporation headquartered in Des Moines, Iowa, and duallyregistered as a broker-dealer and investment adviser with the Commission. VFA hasapproximately 13 million customers and approximately 11 billion in regulatory assets undermanagement. It is an indirect wholly-owned subsidiary of Voya.Background11.VFA offers a wide range of proprietary and non-proprietary investment productsand services through a national network of independent contractor registered representatives. VFAhas over 1,000 employees, including registered representatives, who work in its home and branchoffices, as well as 3,800 other associated persons, including contractor representatives who workout of their own offices in approximately 1,200 locations throughout the United States. Thecontractor representatives make up the largest part of VFA’s workforce and provide brokerage andinvestment advisory services to VFA’s customers. In the course of providing these services, VFAcontractor representatives regularly collect and access account information for VFA customers thatcontains PII.12.During the relevant period, while VFA employees generally used informationtechnology (“IT”) equipment and IT systems provided by Voya, VFA contractor representativesgenerally used their own IT equipment and operated over their own networks.13.During the relevant period, VFA contractor representatives typically accessed VFAcustomer information through a proprietary web portal called Voya for Professionals or VPro. Byentering login credentials consisting of a username and password into VPro, the contractorrepresentatives gained access to a number of web applications, including third-party applicationssuch as SmartWorks, which is a customer and prospect relationship management system thatcontained PII and account information for VFA customers and prospects, and a customer accountmanagement system that enabled VFA employees and contractor representatives to, among otherthings, execute trades and initiate cash distributions.VFA’s Policies and Procedures Prior to the Intrusion Were Deficient14.VFA had no cybersecurity staff of its own and outsourced most of its4
cybersecurity functions and some of its information technology functions to its parent company,Voya. Voya staff also serviced support call centers for VFA’s customers and contractorrepresentatives. Voya’s Financial Application Support Team (“FAST”) was responsible forresponding to VFA contractor representatives’ requests for assistance with respect to VPro andSmartWorks, among other systems.15.Prior to the intrusion, over a dozen Voya policies and procedures relating tocybersecurity were supposed to govern the conduct of VFA. Among other things, these policiesand procedures required: (a) manual account lock-outs for a user suspected of being involved in asecurity incident from web applications containing critical data, including customer PII; (b) asession timeout after 15 minutes of user inactivity in web applications containing customer PII; (c)a prohibition of concurrent web sessions by a single user in web applications containing customerPII; (d) multi-factor authentication (“MFA”)4 for access to applications containing customer PII;(e) annual and ad-hoc review of cybersecurity policies; and (f) cybersecurity awareness trainingand updates for VFA employees and contractors.16.VFA implemented these policies and procedures for the systems used by itsassociated persons that it classified as employees, including when those associated persons workedremotely.17.Even though these policies and procedures were applicable to VFA’s associatedpersons that it classified as independent contractors, including those working out of remote offices,these policies and procedures were not reasonably designed to apply to the systems they used. Forexample, VFA allowed its contractor representatives to maintain concurrent VPro sessions and didnot apply 15-minute inactivity timeouts5 to VPro sessions. In addition, VFA did not have aprocedure for terminating an individual VFA contractor representative’s remote session. Further,VFA contractor representatives’ web access to VPro was subject to MFA that required the userto answer previously-set security questions when a new device was connecting to the relevantVPro account. This form of MFA was rendered ineffective when users called the FAST team torequest a reset of VPro passwords and FAST staff reset the security questions, which was whathappened during the intrusion.18.The password reset procedures for VPro allowed FAST staff to provide users whocould not remember their passwords with a temporary password by phone, after the user providedat least two pieces of his or her PII. Temporary passwords were not required to be sent via secureemail. Although these procedures did not authorize FAST staff to provide VPro usernames (inaddition to passwords) to these users, the procedures did not explicitly prohibit it. Theseprocedures remained in place at the time of the intrusion even though VFA was aware of prior4MFA requires at least one factor in addition to username and password for login authentication. The additionalfactor is commonly a token, randomly-generated by an app on the user’s mobile device or sent to the user viaSMS/text to a pre-registered phone number. VFA used such token-based MFA for its employees, but a different,less secure form of MFA (discussed in the text) for contractor representatives.5The VPro inactivity timeout was set to 60 minutes. VPro was exempted from the 15-minute timeout requirementwithout formal documentation.5
fraudulent activity at Voya that involved attempts to impersonate its contractor representativesusing their PII in calls to technical and customer support lines.19.Voya kept a “monitoring list” of phone numbers suspected of having been used inconnection with prior fraudulent activity at Voya. However, there was no written policy orprocedure that required FAST and customer support call centers to use this list when responding torequests for password resets or other calls from the phone numbers on this list. Although Voyaadopted an informal, unwritten procedure providing for the next-business-day review of phonecalls from numbers on the “monitoring list” in January 2016, that procedure did not preventsomeone from fraudulently obtaining access to confidential customer information at the time thatthe call was occurring, and the procedure was not consistently applied.20.The contractor representatives’ personal computers were supposed to be scannedfor the existence of antivirus software, encryption, and certain software updates, but these scanswere scheduled to occur only three times per year, and representatives often failed to take theactions that were necessary for the scans to occur. A third-party service provider scanned VFAcontractor representatives’ computers after a representative clicked a link sent by the serviceprovider via email. However, some representatives failed to click the link for extended periodsof time, if at all. Among the computers that were scanned, the fail rate in each of 2015 and 2016was approximately 30%, with half of those exhibiting critical failures, such as lack of encryptionand antivirus software. VFA conducted no review or follow-up on failures of representatives toscan their computers or on the scans that identified security deficiencies.21.The policies and procedures for protecting VFA customers’ Voya.com profiles,which included the customers’ personal and account information and provided users with theability to change email and physical addresses of record as well as to document deliverypreferences, were not reasonably designed. VFA did not provide notice to a customer when aninitial profile was created for that customer and when contact information and document deliverypreferences were changed for that customer. As a result, intruders could create and changecustomer profiles without customer detection, and they did so during the April 2016 attack.22.VFA’s policies and procedures to respond to a breach and mitigate identity theft inconnection with an intrusion into VPro and SmartWorks were also not reasonably designed. Theylargely consisted of Voya’s incident response procedures, which were not reasonably designed todeny or limit an unauthorized person’s access to VFA customers’ PII. For example, althoughincident response procedures required in general terms that potentially compromised user accountsbe disabled or the relevant applications be shut down to prevent additional compromise, VFA’spolicies and procedures were not reasonably designed to accomplish these directives. Specifically,Voya IT security staff, who were responsible for responding to security incidents, were notprovided with adequate training regarding the operation of VPro and erroneously believed thatresetting a VPro password for a user would terminate that user’s existing sessions. In fact,resetting VPro passwords did not terminate sessions, and existing sessions continued to proceedafter password resets. VFA’s incident response procedures also failed to ensure that the FAST andcustomer-facing call center staff were notified about an ongoing intrusion.23.VFA’s policies and procedures for designating compromised representatives’ and6
customers’ accounts for additional security measures during calls to support centers for VFAcontractor representatives and customers they serviced were not reasonably designed. Although inJanuary 2016, VFA informally adopted a procedure to place flags on such contractorrepresentatives and customer accounts in the system, unbeknownst to the relevant security staff,such flags were erased from the system periodically in connection with unrelated automatedsystem activities.24.In 2009, before the Dodd-Frank Act of 2010 transferred to the Commission therulemaking responsibility and enforcement authority under Section 615(e) of the Fair CreditReporting Act with respect to the entities subject to its enforcement authority, VFA adopted anIdentity Theft Prevention Program to comply with the then-applicable Red Flags Rule of theFederal Trade Commission (16 C.F.R. § 681.1). VFA’s Identity Theft Prevention Programrequired VFA to oversee the implementation and administration of the Identity Theft PreventionProgram, to train its staff on the Identity Theft Prevention Program, and to have in place policiesand procedures to periodically update the Identity Theft Prevention Program in response tochanges in risks to VFA’s customers.25.Despite significant changes in external cybersecurity risks6 and in VFA’s own riskprofile, VFA did not substantively update the Identity Theft Prevention Program after 2009 andVFA’s board of directors or a designated