SEC’s First Red Flags Rule Settlement: Broker-dealer Voya’s $1-million settlement with the SEC for alleged violations of the Safeguards Rule and the Identity Theft Red Flags Rule shows that the SEC is willing to act when it believes firms could have done more to prevent attacks.
“The SEC expects companies to not only have in place commercially reasonable standards, policies and procedures for cybersecurity, but to implement them along with compliance and audit procedures to assure that they are working as intended,” Jason Elmer, managing partner at Drawbridge Partners, told The Cybersecurity Law Report.
We analyze the case, which involved a network intrusion by people impersonating third-party contractors, and its lessons, including the mistakes Voya made, how companies can avoid them and what the case says about SEC cybersecurity enforcement.
SEC Cybersecurity News Alert: Today, the Securities and Exchange Commission (SEC) announced that a Des Moines-based broker-dealer and investment adviser has agreed to pay $1 million for its failures in cybersecurity policies and procedures surrounding a cyber-breach.
Facebook Cybersecurity Risk Alert: On Tuesday September 25th, Facebook discovered a security breach affecting approximately 50 million users. Attackers exploited a vulnerability in the “View As” feature of Facebook, which allows users to view their profile from the perspective of another user. As a result of the exploit, the attackers stole Facebook access tokens, which could have allowed them to gain control of the user accounts. Access tokens are digital keys that keep users logged in to Facebook and do not require users to re-enter their password every time they use the application.