InvestmentNews Editorials

Voya cybersecurity blunder should serve as a wake-up call to the entire industry

The stakes are high: Procedures have to be reviewed and tested on a regular basis

Oct 6, 2018 @ 6:00 am

By now, anyone responsible for cybersecurity at a financial advisory firm is probably tired of hearing about the subject. But the recent $1 million fine levied against Voya Financial Services should serve as a wake-up call to everyone in the industry for several reasons.

Cybercrime details

For one, it describes in detail an actual cybercrime and how it occurred — and how the firm failed not only to prevent it, but to shut it down adequately once being alerted that the breach was happening.

The Voya story also represents the first time the Securities and Exchange Commission has fined a company under its Identity Theft Red Flags rule, and puts all firms on notice that the regulator is ramping up cybersecurity enforcement. In other words, expect more fines in the future.

Procedures in place

Like most other firms, Voya had security procedures in place that should have guarded against the breach that occurred back in 2016. In this case, cybercriminals posing as advisers asked for and received usernames and new passwords from Voya support personnel, giving them access to the personal information of 5,600 customers.

Even after one of the real advisers who had been targeted in this identity theft scam reported that he had not requested a new password, the scheme was not thwarted. Over the next several days, two more advisers were impersonated. In fining Voya, the SEC said the breach occurred, in part, because its personnel did not have a full understanding of how its own portal worked.

Prevention and response

One hard lesson Voya learned is that having procedures and protocols in place is not enough. Procedures have to be reviewed and tested on a regular basis to make sure personnel are trained and are following protocols correctly — and that the procedures and protocols in place are still effective in both preventing and responding to cyberattacks.

(More: How a hacker led to Finra censuring and fining a broker-dealer)

Companies also need to be more proactive in anticipating cyberattacks. Thieves can be creative. If you stop them from breaching your systems one way, they will try to get their hands on your protected data using different methods. They won't stop, so companies can't let down their guard.

Need for review

It is not enough simply to draw up a cybersecurity plan and put it on the shelf to show regulators when they ask for it during an exam; it must constantly be updated using the latest information on what cyberthieves are up to.

That brings us to yet another lesson. Cybersecurity comes with a cost. But it is a cost that cannot be ignored. The SEC's regulations apply to all firms in the industry, no matter their size. And remember, the stakes are high.

Clients and investors will usually forgive a security breach one time. But if it reoccurs, they will flee to a competitor with a better record on security. And who can really blame them?

0
Comments

What do you think?

View comments

Recommended for you

Featured video

Events

The secret to working with next gen clients?

Alan Moore of XY Planning says working with millennials isn't as difficult as some advisers make it sound. Here are three strategies for success.

Video Spotlight

We started as a boutique firm with huge ambitions. Schwab was a perfect fit.

Sponsored by Schwab Advisor Services

Recommended Video

Keys to a successful deal

Latest news & opinion

10 millennials making their mark in Washington — and beyond

These next-generation leaders are raising their voices and gaining influence over financial advice regulation and legislation.

Warburg Pincus among private equity managers interested in acquiring Kestra Financial

Sources say Kestra is being valued at between $600 million and $800 million, about eight to 10 times EBITDA.

10 highest paid professions in America today

These are the top-paying jobs in the U.S., according to Glassdoor.

Former Merrill Lynch star broker Thomas Buck sentenced to 40 months in prison

He pleaded guilty to securities fraud in 2017; charged clients excessive commissions.

Rules for claiming Social Security at 70

Some individuals' benefits will begin automatically; others have to take action.

X

Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting investmentnews.com? It'll help us continue to serve you.

Yes, show me how to whitelist investmentnews.com

Ad blocker detected. Please whitelist us or give premium a try.

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print