On September 26, 2018, the Securities and Exchange Commission announced that a settlement was reached in its first enforcement action involving the Identity Theft Red Flags Rule (the "Red Flags Rule"). The Red Flags Rule was designed to protect confidential customer information and customers from the risk of identity theft. The Red Flags Rule requires "financial institutions" and some "creditors" to conduct a periodic risk assessment to determine if they have "covered accounts," and to develop, implement, and administer, an identity theft prevention program that include certain enumerated elements concerning the threat of identity theft.

This case began when the Division of Enforcement brought charges against Voya Financial Advisors Inc. ("VFA") for violating the Red Flags Rule and the Safeguards Rule by failing to correct weaknesses in its cybersecurity policies and procedures, which led to a fraudulent activity and a cyber-intrusion. Notably, several of VFA's contributing cybersecurity policy deficiencies were previously identified during similar fraudulent activity. Also, VFA did not to apply its cybersecurity procedures to the systems used by its independent contractors, which is particularly problematic because independent contractors are the largest segment of VFA's workforce. VFA must now pay $1 million to settle charges related to its failures in cybersecurity policies and procedures.

This enforcement action demonstrates the SEC Enforcement Division's heightened focus on identifying deficiencies in the cybersecurity policies and procedures of brokers and investment advisers. In light of the uptick in recently reported network intrusions, cyber incidents, and thefts of electronic data, it is imperative that brokers and investment advisers adopt and implement cybersecurity procedures that are: (1) reasonably designed to fit their specific business models; and (2) comply with both the Safeguards Rule and the Identity Theft Red Flags Rule.

For more information regarding the Red Flags Rule, the Safeguards Rule, and how to incorporate compliant programs into the daily operations of your business, please contact the Dickinson Wright attorneys listed below.

The full text of the Securities and Exchange Commission's Press Release may be accessed here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.