The Des Moines-based firm, a broker-dealer and investment adviser, was charged with violating the Safeguards Rule and Identity Theft Red Flags Rule, which aim to protect personal data and customers from identity theft.
This data privacy regulation ruling is the first time the SEC has enforced the Identity Theft Red Flags Rule with a penalty against an offending firm.
“Customers entrust both their money and their personal information to their brokers and investment advisers,” Stephanie Avakian, Co-Director of the SEC Enforcement Division, said in a press release. “VFA failed in its obligations when its deficiencies made it vulnerable to cyber intruders accessing the confidential information of thousands of its customers.”
In 2016, cyber intruders impersonated VFA contractors over a six-day period by calling the company’s support line and requesting that the contractors’ passwords be reset. The criminals then used the new passwords to gain access to the personal information of 5,600 VFA customers, as well as create new online customer profiles and get unauthorized access to account documents for three customers.
The SEC contends that the intruders’ access wasn’t stopped because of weaknesses in VFA’s cybersecurity procedures, some of which came to light during prior similar fraudulent activity. In addition, the company also failed to apply its procedures to the systems used by its independent contractors.
“This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Robert A. Cohen, Chief of the SEC Enforcement Division’s Cyber Unit. “They also must review and update the procedures regularly to respond to changes in the risks they face.”
Without admitting or denying the SEC’s findings, VFA agreed to pay the fine and will retain an independent consultant to evaluate its policies and procedures to ensure compliance with regulations.
Will LaSala, director of security solutions and security evangelist at OneSpan, said that this ruling shows that regulatory agencies are taking online privacy seriously. “The enforcement of the Identity Theft Red Flag Rule by the SEC is a very large step in the right direction and could have a trickle-down effect into other markets, such as the FFIEC guidance, that up until now has been weakly enforced and monitored. The size of the fines is another indicator that the law and regulatory bodies have had enough and are ready to start to push back on companies that are failing to put the basic safeguards in place for identity protection. It will only be a matter of time before we start to see bigger fines — and more of them — as the government attempts to crack down and stop the wild west of the internet.”