By now, anyone responsible for cybersecurity at a financial advisory firm is probably tired of hearing about the subject. But the recent $1 million fine levied against Voya Financial Services should serve as a wake-up call to everyone in the industry for several reasons.
For one, it describes in detail an actual cybercrime and how it occurred — and how the firm failed not only to prevent it, but to shut it down adequately once being alerted that the breach was happening.
The Voya story also represents the first time the Securities and Exchange Commission has fined a company under its Identity Theft Red Flags rule, and puts all firms on notice that the regulator is ramping up cybersecurity enforcement. In other words, expect more fines in the future.
Procedures in place
Like most other firms, Voya had security procedures in place that should have guarded against the breach that occurred back in 2016. In this case, cybercriminals posing as advisers asked for and received usernames and new passwords from Voya support personnel, giving them access to the personal information of 5,600 customers.
Even after one of the real advisers who had been targeted in this identity theft scam reported that he had not requested a new password, the scheme was not thwarted. Over the next several days, two more advisers were impersonated. In fining Voya, the SEC said the breach occurred, in part, because its personnel did not have a full understanding of how its own portal worked.
Prevention and response
One hard lesson Voya learned is that having procedures and protocols in place is not enough. Procedures have to be reviewed and tested on a regular basis to make sure personnel are trained and are following protocols correctly — and that the procedures and protocols in place are still effective in both preventing and responding to cyberattacks.
Companies also need to be more proactive in anticipating cyberattacks. Thieves can be creative. If you stop them from breaching your systems one way, they will try to get their hands on your protected data using different methods. They won't stop, so companies can't let down their guard.
Need for review
It is not enough simply to draw up a cybersecurity plan and put it on the shelf to show regulators when they ask for it during an exam; it must constantly be updated using the latest information on what cyberthieves are up to.
That brings us to yet another lesson. Cybersecurity comes with a cost. But it is a cost that cannot be ignored. The SEC's regulations apply to all firms in the industry, no matter their size. And remember, the stakes are high.
Clients and investors will usually forgive a security breach one time. But if it reoccurs, they will flee to a competitor with a better record on security. And who can really blame them?