Nov 13 2018

SEC charges investment adviser firm: $1M settlement accepted

The Securities and Exchange Commission (SEC) and its Office of Compliance Inspections and Examinations (OCIE) has long been advising the financial industry that cybersecurity is its top priority (see my prior blogpost. (

In late September, the SEC announced that an Iowa based broker-dealer and investment adviser, Voya Financial Advisors Inc. (VFA) has agreed to pay $1 million to settle charges regarding its failure to maintain adequate cybersecurity policies and procedures, as they related to a compromise of the company’s network. (

In its charge, the SEC cited both the Safeguards Rule and the Identity Red Flags Rule, implemented to protect confidential information and customer privacy. This is the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule.

As per Robert A Cohen, Chief of the SEC’s Cyber Unit Enforcement Division, “This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models,” and “They also must review and update the procedures regularly to respond to changes in the risks they face.”

Whether you are in the financial industry vertical or are a third-party vendor to a company in the industry, your policies, procedures, and information security risk management program must meet regulations.