Get the DealBook newsletter to make sense of major business and policy headlines — and the power-brokers who shape them.

__________

Five years ago, the Securities and Exchange Commission adopted a rule requiring investment firms to pay attention to identity theft. It never enforced it — until late last month.

In a cease-and-desist order against Voya Financial Advisors, the investment advisory unit of Voya Financial, the commission used the “Identity Theft Red Flags Rule” to censure the firm for allowing hackers to access social security numbers, account balances and even details of client investment accounts.

The S.E.C.’s action should set off alarm bells for every financial firm and board of directors under the agency’s watch. Most companies are probably not in compliance with the rule and, given the agency’s increased focus on cybersecurity, they should move quickly to address any issues.