SEC: Cybersecurity Procedures Must be Reasonably Designed to Fit Specific Business Models

The Securities and Exchange Commission recently announced that a Des Moines-based broker-dealer and investment adviser has agreed to pay $1 million to settle charges related to its failures in cybersecurity policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers. This is the latest SEC action demonstrating that cybersecurity must be tailored to the practices of the business.

The SEC charged Voya Financial Advisors Inc. (VFA) with violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft.  This is the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule.

According to the SEC’s order, cyber intruders impersonated VFA contractors over a six-day period in 2016 by calling VFA’s support line and requesting that the contractors’ passwords be reset. The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers.  The SEC’s order finds that the intruders then used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers.  The order also finds that VFA’s failure to terminate the intruders’ access stemmed from weaknesses in its cybersecurity procedures, some of which had been exposed during prior similar fraudulent activity.  According to the order, VFA also failed to apply its procedures to the systems used by its independent contractors, who make up the largest part of VFA’s workforce.

Kennyhertz Perry works with a number of companies, including small businesses on cyber intrusions. The Order against VFA is an example of the most significant trend is the increase in number of outsider attacks on small companies. “This is a new world for many small companies,” Kennyhertz Perry’s Braden Perry said. “While no single strategy “fits all,” practicing basic cyber hygiene would address or mitigate a vast majority of security breaches. Being prepared if an intrusion occurs is also critical and having a communications method for response, actively monitoring centralized host and networks, and including enhanced monitoring to detect known security events is a must.”

ABOUT KENNYHERTZ PERRY’S PRIVACY, CYBERSECURITY, AND BREACH MANAGEMENT PRACTICE GROUP

Kennyhertz Perry assists clients with data security needs, blending traditional legal experience in the corporate and litigation arenas with technical acumen.

We assist clients in prevention, developing robust information security programs, including administering internal compliance and risk assessments, which include the development and implementation of corporate policies and procedures required for compliance with state and federal privacy and security laws, and information security best practices; information security policies; records retention and management policies.

In addition to prevention, Kennyhertz Perry can prepare security incidence response procedures, identify, assess, contain, and mitigate privacy and security breaches, and work with law enforcement to assist in the investigation of the incident. Businesses that are the victims of cyber attacks also must determine when and how to cooperate with government agencies during the investigation of an attack, and how best to do so.

The lawyers in our privacy and cybersecurity practice, as well as members of our Government Enforcement practice group have deep experience, from both government and private practice, in this area, and help companies navigate the often complicated interactions with government agencies, and can provide both counseling and representation where the threat of prosecution may arise.

Kennyhertz Perry also assists with IT resiliency understanding and engaging at the top management and board level. Traditionally, IT has been misunderstood, and management would not understand the role and responsibility of IT departments. Kennyhertz Perry bridges this gap at all level. At the Board level, directors not only need to be sophisticated with business issues, they also need to be versed in today’s cyber and IT. Translating an understanding of the importance of a proactive IT security policy, and feeling like the company is “on board” with IT security efforts. Many companies have very robust policies and procedures for their business processes, which sophisticated Board members can understand. IT is different. It’s a different language for a business person, and unfortunately most Board members will ignore or defer on issues they don’t understand. So when an IT department presents a robust plan for proactive IT security, it may go ignored or disregarded. This can lead to a reactive plan only that focuses on the “when” as opposed to prevention. IT is a different language. We serve as Board IT/cybersecurity liaison to be the “go-between” and translate the IT language into business and vice versa.

To learn more about Kennyhertz Perry, LLC, please visit kennyhertzperry.com. The choice of a lawyer is an important decision and should not be based solely upon advertisements.