SEC-registered investment adviser Voya’s $1‑million settlement with the SEC for alleged violations of the so-called “Safeguards Rule” and the “Identity Theft Red Flags Rule” shows that the SEC is willing to act when it believes firms could have done more to prevent cyber attacks. This proceeding demonstrates the SEC’s expectations that fund managers and other companies not only have cybersecurity policies and procedures in place, but also properly implement them and have compliance and audit procedures to ensure they are working as intended. This article analyzes the circumstances underlying the order, which involved a network intrusion by people impersonating third-party contractors, and its lessons, including what mistakes Voya made, how fund managers can avoid them and what the settlement says about SEC cybersecurity enforcement. See our three-part series on how fund managers should structure their cybersecurity programs: “Background and Best Practices” (Mar. 22, 2018); “CISO Hiring, Governance Structures and the Role of the CCO” (Apr. 5, 2018); and “Stakeholder Communication, Outsourcing, Co-Sourcing and Managing Third Parties” (Apr. 12, 2018).