(Reuters) - Voya Financial Inc (VOYA.N) agreed to pay a $1 million fine to settle U.S. Securities and Exchange Commission charges over an April 2016 cyberattack in the regulator’s first enforcement action under a new rule designed to thwart identity theft.

FILE PHOTO - The Voya Financial Inc. logo is displayed on a screen on the floor of the New York Stock Exchange (NYSE) in New York, U.S., May 3, 2018. REUTERS/Brendan McDermid

The SEC on Wednesday said the case arose from a six-day period when intruders impersonated contractors for Voya Financial Advisors Inc, a unit of New York-based Voya, and arranged for the resetting of those contractors’ passwords.

According to the regulator, this enabled the intruders to obtain personal information of at least 5,600 customers and account information for three customers, though no unauthorized transfers occurred.

The SEC said Voya’s failure to stop the intrusion resulted from weaknesses in its cybersecurity procedures, including some exposed during prior fraudulent activity.

Without admitting wrongdoing, Voya settled charges it violated the Identity Theft Red Flags Rule, which requires financial services companies to adopt programs to detect and stop identity theft, in the first case of its kind, the SEC said.

Voya did not immediately respond to requests for comment.