SEC’s First “Identity Theft Red Flags Rule” Enforcement Action Results in $1 Million Settlement

Late in September – five years after the U.S. Securities and Exchange Commission enacted its “Identity Theft Red Flags Rule” – the SEC announced its first enforcement action over violations of the Rule. A Des Moines-based broker-dealer and investment adviser will pay $1 million to settle charges after cyber intruders infiltrated the firm, compromising the personal information of thousands of customers.

According to Alan Brill, Kroll Cyber Risk Senior Managing Director, this first settlement is a harbinger of future regulatory activity: “This is now a very, very loud alarm bell ringing," he noted in an interview with Law 360.

Alan provided his uniquely broad perspective on the SEC action in several interviews, including with the following publications: 

WSJ Pro Cybersecurity, “Regulators Hold Voya, Uber Accountable for Cybersecurity Missteps,” by Adam Janofsky.Alan: “Having great standards for cybersecurity isn't enough. What the Commission is saying is that yes, you have to have those standards, but they also have to be appropriate and you have to actually do what it says.”
Alan: “Having great standards for cybersecurity isn't enough. What the Commission is saying is that yes, you have to have those standards, but they also have to be appropriate and you rel="noopener noreferrer" have to actually do what it says.”

Chief Investment Officer, “SEC Fines Voya $1 Million for Cybersecurity Breach,” by Chris Butera.
Alan: “I think you’ve got to ask yourself that question of how do I know what the real status is? … Not knowing for real and for sure the state of cybersecurity rel="noopener noreferrer" within your organization is simply not acceptable.”

Law 360, “Existence Of Cybersecurity Policies Not Enough For SEC,” by Rachel Graf.
“The settlement also indicates the regulator isn’t focused exclusively on the companies, but on their contractors and other associates as well. Organizations that outsource work need to ensure that there are cybersecurity policies in place rel="noopener noreferrer" for vendors and other organizations with which they rel="noopener noreferrer" share sensitive data, said Alan.”

Investment News, “SEC adds cybersecurity bite to its bark,” by Ryan W. Neal.
Alan: “The SEC is moving from this being an esoteric problem to being a part of their everyday thinking, their everyday analysis and their everyday actions.

Additional Insights

In a joint effort with Ken Joseph, Global Head of our Disputes practice, Alan also outlined the impact of this enforcement action and the clear message it sends to executives and boards of directors.

Read Alan and Ken’s message here.