InvestmentNews Editorials

Voya cybersecurity blunder should serve as a wake-up call to the entire industry

The stakes are high: Procedures have to be reviewed and tested on a regular basis

Oct 6, 2018 @ 6:00 am

By now, anyone responsible for cybersecurity at a financial advisory firm is probably tired of hearing about the subject. But the recent $1 million fine levied against Voya Financial Services should serve as a wake-up call to everyone in the industry for several reasons.

Cybercrime details

For one, it describes in detail an actual cybercrime and how it occurred — and how the firm failed not only to prevent it, but to shut it down adequately once being alerted that the breach was happening.

The Voya story also represents the first time the Securities and Exchange Commission has fined a company under its Identity Theft Red Flags rule, and puts all firms on notice that the regulator is ramping up cybersecurity enforcement. In other words, expect more fines in the future.

Procedures in place

Like most other firms, Voya had security procedures in place that should have guarded against the breach that occurred back in 2016. In this case, cybercriminals posing as advisers asked for and received usernames and new passwords from Voya support personnel, giving them access to the personal information of 5,600 customers.

Even after one of the real advisers who had been targeted in this identity theft scam reported that he had not requested a new password, the scheme was not thwarted. Over the next several days, two more advisers were impersonated. In fining Voya, the SEC said the breach occurred, in part, because its personnel did not have a full understanding of how its own portal worked.

Prevention and response

One hard lesson Voya learned is that having procedures and protocols in place is not enough. Procedures have to be reviewed and tested on a regular basis to make sure personnel are trained and are following protocols correctly — and that the procedures and protocols in place are still effective in both preventing and responding to cyberattacks.

(More: How a hacker led to Finra censuring and fining a broker-dealer)

Companies also need to be more proactive in anticipating cyberattacks. Thieves can be creative. If you stop them from breaching your systems one way, they will try to get their hands on your protected data using different methods. They won't stop, so companies can't let down their guard.

Need for review

It is not enough simply to draw up a cybersecurity plan and put it on the shelf to show regulators when they ask for it during an exam; it must constantly be updated using the latest information on what cyberthieves are up to.

That brings us to yet another lesson. Cybersecurity comes with a cost. But it is a cost that cannot be ignored. The SEC's regulations apply to all firms in the industry, no matter their size. And remember, the stakes are high.

Clients and investors will usually forgive a security breach one time. But if it reoccurs, they will flee to a competitor with a better record on security. And who can really blame them?

0
Comments

What do you think?

View comments

Recommended for you

Featured video

INTV

Where in the U.S. are RIAs growing the fastest?

InvestmentNews' deputy editor Robert Hordt talks to senior columnist Jeff Benjamin about his report on how registered investment advisers are faring in different regions of the country.

Latest news & opinion

Midwestern magic? RIA assets soared nearly 30% there last year

Theories for what's driving the growth spurt abound, but it surpassed all other regions of the country.

8 apps advisers love for getting stuff done

We reached out to advisers to find out which apps they are using to run their business more efficiently.

10 tax moves to squeeze in before the year ends

Here are some tax moves clients can still make before year-end.

Richard Neal: the new face driving retirement policy in Washington

As he becomes head of the House Ways and Means Committee, Rep. Richard Neal (D-Mass.) is poised to make some big changes.

X

Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting investmentnews.com? It'll help us continue to serve you.

Yes, show me how to whitelist investmentnews.com

Ad blocker detected. Please whitelist us or give premium a try.

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print