By Jonathan Stempel
(Reuters) - Voya Financial Inc (N:VOYA) agreed to pay a $1 million fine to settle U.S. Securities and Exchange Commission charges over an April 2016 intrusion that compromised customer information, in the regulator's first enforcement action under a rule designed to thwart identity theft.
The SEC on Wednesday said the settlement resolved charges under the Identity Theft Red Flags Rule, a 2013 regulation that required many financial services companies to adopt programs to stop identity theft in new and existing accounts.
It arose from a six-day period when intruders impersonated contractors for Voya Financial Advisors Inc, a unit of New York-based Voya, and arranged to reset those contractors' passwords.
The SEC said this enabled the intruders to obtain personal information of at least 5,600 customers and account information for three customers, though no unauthorized transfers occurred.
Voya has $528 billion of assets under management and administration, according to its website. The company did not admit or deny wrongdoing in agreeing to settle.
"Customers entrust both their money and their personal information to their brokers and investment advisers," Stephanie Avakian, co-director of the SEC's enforcement division, said in a statement. "VFA failed in its obligations."
Voya spokesman Joe Loparco said in an email that the company was pleased to settle, promptly reported and addressed and matter, and has upgraded its procedures to avoid a recurrence.
Wednesday's civil settlement requires a consultant to oversee Voya's compliance with the identity theft rule, which implemented part of the 2010 Dodd-Frank financial reform law, and the so-called Safeguards Rule to protect customer records.
The SEC said that at the time of the intrusion, Voya contractors had access to customer information through an in-house portal, and some of Voya's cybersecurity weaknesses had already been exposed during prior fraudulent activity.
Voya Financial Advisors has offices in Des Moines, Iowa.