UNITED STATES OF AMERICABefore theSECURITIES AND EXCHANGE COMMISSIONSECURITIES EXCHANGE ACT OF 1934Release No. 84288 / September 26, 2018INVESTMENT ADVISERS ACT OF 1940Release No. 5048 / September 26, 2018ADMINISTRATIVE PROCEEDINGFile No. 3-18840In the Matter ofVoya Financial Advisors, Inc.,Respondent.ORDER INSTITUTING ADMINISTRATIVEAND CEASE-AND-DESIST PROCEEDINGSPURSUANT TO SECTIONS 15(b) AND 21COF THE SECURITIES EXCHANGE ACT OF1934, AND SECTIONS 203(e) AND 203(k) OFTHE INVESTMENT ADVISERS ACT OF1940, MAKING FINDINGS, AND IMPOSINGREMEDIAL SANCTIONS AND A CEASEAND-DESIST ORDERI.The Securities and Exchange Commission (the “Commission”) deems it appropriate and inthe public interest that public administrative and cease-and-desist proceedings be, and hereby are,instituted pursuant to Sections 15(b) and 21C of the Securities Exchange Act of 1934 (the“Exchange Act”), and Sections 203(e) and 203(k) of the Investment Advisers Act of 1940 (the“Advisers Act”), against Voya Financial Advisors, Inc. (“VFA” or “Respondent”).II.In anticipation of the institution of these proceedings, Respondent has submitted an Offerof Settlement (the “Offer”) which the Commission has determined to accept. Solely for thepurpose of these proceedings and any other proceedings by or on behalf of theCommission, or to which the Commission is a party, and without admitting or denying the findingsherein, except as to the Commission’s jurisdiction over it and the subject matter of theseproceedings, which are admitted, Respondent consents to the entry of this Order InstitutingAdministrative and Cease-and-Desist Proceedings Pursuant to Sections 15(b) and 21C of theExchange Act, and Sections 203(e) and 203(k) of the Advisers Act, Making Findings, andImposing Remedial Sanctions and a Cease-and-Desist Order (“Order”), as set forth below.
III.On the basis of this Order and Respondent’s Offer, the Commission finds that:Summary1.These proceedings arise out of VFA’s failure to adopt written policies andprocedures reasonably designed to protect customer records and information, in violation of Rule30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”), and VFA’s failure todevelop and implement a written Identity Theft Prevention Program as required by Rule 201 ofRegulation S-ID (17 C.F.R. § 248.201) (the “Identity Theft Red Flags Rule”).2.VFA is a dually registered broker-dealer and investment adviser. From at least2013 through October 2017 (the “relevant period”), VFA gave its independent contractorrepresentatives1 (“contractor representatives”) access to its brokerage customer and advisory client(hereinafter, “customer”) information through a proprietary web portal. Through the portal, thecontractor representatives accessed the personally identifiable information (“PII”) of VFAcustomers and managed the customers’ brokerage accounts. The portal was serviced andmaintained by VFA’s parent company, Voya Financial, Inc. (“Voya”). The contractorrepresentatives generally used their own IT equipment and their own networks to access the portal.Voya’s service call centers serviced support calls from VFA’s customers and VFA’s contractorrepresentatives.3.Over six days in April 2016, one or more persons impersonating VFA contractorrepresentatives called VFA’s technical support line and requested a reset of three representatives’passwords for the web portal used to access VFA customer information, in two instances usingphone numbers Voya had previously identified as associated with prior fraudulent activity. Theprior activity also involved attempts to impersonate VFA contractor representatives in calls toVoya’s technical and customer support lines. Voya’s technical support staff reset the passwordsand provided temporary passwords over the phone, and on two of the three occasions, they alsoprovided the representative’s username.4.Three hours after the first fraudulent reset request, the targeted contractorrepresentative notified a technical support employee that he had received an email confirmingthe password change, but he had not requested such a change. Although VFA took certain stepsto respond to the intrusion, those steps did not prevent the intruders from obtaining passwordsand gaining access to VFA’s portal by impersonating two additional representatives over thenext several days. Nor did VFA terminate the intruders’ access to the three representatives’1The independent contractor representatives were associated persons of VFA who were licensed as registeredrepresentatives or otherwise qualified to effect transactions in securities on behalf of VFA, and some of them werealso investment adviser representatives of VFA. As noted in Books and Records Requirements for Brokers andDealers Under the Securities Exchange Act of 1934, Exchange Act Release No. 44992 (Oct. 26, 2001) 66 FR 55817,55820 n.18 (Nov. 1, 2001), “The Commission has consistently taken the position that independent contractors (whoare not themselves registered as broker-dealers) involved in the sale of securities on behalf of a broker-dealer are‘controlled by’ the broker-dealer, and, therefore, are associated persons of the broker-dealer.”2
accounts due to deficient cybersecurity controls and an erroneous understanding of the operationof the portal.5.The intruders used the VFA contractor representatives’ usernames and passwords tolog in to the portal and gain access to PII for at least 5,600 of VFA’s customers, and subsequentlyto obtain account documents containing PII of at least one Voya customer. The intruders alsoused customer information to create new Voya.com customer profiles, which gave them accessto PII and account information of two additional customers. There have been no knownunauthorized transfers of funds or securities from VFA customer accounts as a result of theattack.6.The Safeguards Rule requires every broker-dealer and every investment adviserregistered with the Commission to adopt written policies and procedures that addressadministrative, technical and physical safeguards for the protection of customer records andinformation. Those policies and procedures must be reasonably designed to: (1) insure thesecurity and confidentiality of customer records and information; (2) protect against anyanticipated threats or hazards to the security or integrity of customer records and information;and (3) protect against unauthorized access to or use of customer records or information thatcould result in substantial harm or inconvenience to any customer.7.VFA violated the Safeguards Rule because its policies and procedures to protectcustomer information and to prevent and respond to cybersecurity incidents were not reasonablydesigned to meet these objectives. Among other things, VFA’s policies and procedures withrespect to resetting VFA contractor representatives’ passwords, terminating web sessions in itsproprietary gateway system for VFA contractor representatives, identifying higher-riskrepresentatives and customer accounts for additional security measures, and creation andalteration of Voya.com customer profiles, were not reasonably designed. In addition, a numberof VFA’s cybersecurity policies and procedures were not reasonably designed to be applied to itscontractor representatives.8.The Identity Theft Red Flags Rule requires certain financial institutions andcreditors, including broker-dealers and investment advisers registered or required to be registeredwith the Commission, to develop and implement a written Identity Theft Prevention Programthat is designed to detect, prevent, and mitigate identity theft2 in connection with the opening of acovered account or any existing covered account.3 An Identity Theft Prevention Program mustinclude reasonable policies and procedures to: identify relevant red flags for the coveredaccounts and incorporate them into the Identity Theft Prevention Program; detect the red flagsthat have been incorporated into the Identity Theft Prevention Program; respond appropriately to2The rule defines “identity theft” as a fraud committed or attempted using the identifying information of anotherperson without authority. See 17 C.F.R. § 248.201(b)(9).3The rule defines a “covered account” to include an account that a broker-dealer or investment adviser offers ormaintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiplepayments or transactions, such as a brokerage account with a broker-dealer. See 17 C.F.R. § 248.201(b)(3).3
any red flags that are detected pursuant to the Identity Theft Prevention Program; and ensure thatthe Identity Theft Prevention Program is updated periodically to reflect changes in risks tocustomers from identity theft.9.Although VFA adopted a written Identity Theft Prevention Program in 2009, VFAviolated the Identity Theft Red Flags Rule because it did not review and update the Identity TheftPrevention Program in response to changes in risks to its customers or provide adequate training toits employees. In addition, the Identity Theft Prevention Program did not include reasonablepolicies and procedures to respond to identity theft red flags, such as those that were detected byVFA during the April 2016 intrusion.Respondent10.VFA is a Minnesota corporation headquartered in Des Moines, Iowa, and duallyregistered as a broker-dealer and investment adviser with the Commission. VFA hasapproximately 13 million customers and approximately 11 billion in regulatory assets undermanagement. It is an indirect wholly-owned subsidiary of Voya.Background11.VFA offers a wide range of proprietary and non-proprietary investment productsand services through a national network of independent contractor registered representatives. VFAhas over 1,000 employees, including registered representatives, who work in its home and branchoffices, as well as 3,800 other associated persons, including contractor representatives who workout of their own offices in approximately 1,200 locations throughout the United States. Thecontractor representatives make up the largest part of VFA’s workforce and provide brokerage andinvestment advisory services to VFA’s customers. In the course of providing these services, VFAcontractor representatives regularly collect and access account information for VFA customers thatcontains PII.12.During the relevant period, while VFA employees generally used informationtechnology (“IT”) equipment and IT systems provided by Voya, VFA contractor representativesgenerally used their own IT equipment and operated over their own networks.13.During the relevant period, VFA contractor representatives typically accessed VFAcustomer information through a proprietary web portal called Voya for Professionals or VPro. Byentering login credentials consisting of a username and password into VPro, the contractorrepresentatives gained access to a number of web applications, including third-party applicationssuch as SmartWorks, which is a customer and prospect relationship management system thatcontained PII and account information for VFA customers and prospects, and a customer accountmanagement system that enabled VFA employees and contractor representatives to, among otherthings, execute trades and initiate cash distributions.VFA’s Policies and Procedures Prior to the Intrusion Were Deficient14.VFA had no cybersecurity staff of its own and outsourced most of its4
cybersecurity functions and some of its information technology functions to its parent company,Voya. Voya staff also serviced support call centers for VFA’s customers and contractorrepresentatives. Voya’s Financial Application Support Team (“FAST”) was responsible forresponding to VFA contractor representatives’ requests for assistance with respect to VPro andSmartWorks, among other systems.15.Prior to the intrusion, over a dozen Voya policies and procedures relating tocybersecurity were supposed to govern the conduct of VFA. Among other things, these policiesand procedures required: (a) manual account lock-outs for a user suspected of being involved in asecurity incident from web applications containing critical data, including customer PII; (b) asession timeout after 15 minutes of user inactivity in web applications containing customer PII; (c)a prohibition of concurrent web sessions by a single user in web applications containing customerPII; (d) multi-factor authentication (“MFA”)4 for access to applications containing customer PII;(e) annual and ad-hoc review of cybersecurity policies; and (f) cybersecurity awareness trainingand updates for VFA employees and contractors.16.VFA implemented these policies and procedures for the systems used by itsassociated persons that it classified as employees, including when those associated persons workedremotely.17.Even though these policies and procedures were applicable to VFA’s associatedpersons that it classified as independent contractors, including those working out of remote offices,these policies and procedures were not reasonably designed to apply to the systems they used. Forexample, VFA allowed its contractor representatives to maintain concurrent VPro sessions and didnot apply 15-minute inactivity timeouts5 to VPro sessions. In addition, VFA did not have aprocedure for terminating an individual VFA contractor representative’s remote session. Further,VFA contractor representatives’ web access to VPro was subject to MFA that required the userto answer previously-set security questions when a new device was connecting to the relevantVPro account. This form of MFA was rendered ineffective when users called the FAST team torequest a reset of VPro passwords and FAST staff reset the security questions, which was whathappened during the intrusion.18.The password reset procedures for VPro allowed FAST staff to provide users whocould not remember their passwords with a temporary password by phone, after the user providedat least two pieces of his or her PII. Temporary passwords were not required to