Broker-dealer Voya’s $1-million settlement with the SEC for alleged violations of the Safeguards Rule and the Identity Theft Red Flags Rule shows that the SEC is willing to act when it believes firms could have done more to prevent attacks. “The SEC expects companies to not only have in place commercially reasonable standards, policies and procedures for cybersecurity, but to implement them along with compliance and audit procedures to assure that they are working as intended,” Jason Elmer, managing partner at Drawbridge Partners, told the Cybersecurity Law Report. We analyze the case, which involved a network intrusion by people impersonating third-party contractors, and its lessons, including the mistakes Voya made, how companies can avoid them and what the case says about SEC cybersecurity enforcement. See “How Financial Services Firms Should Structure Their Cybersecurity Programs” (May 9, 2018).