Voya Financial Advisors must pay $1 million to the Securities and Exchange Commission (SEC) following a cybersecurity breach.
Criminals impersonating Voya contractors retrieved passwords by calling Voya’s support team to obtain the information of some 5,600 customer accounts over the course of six days in April 2016, according to the SEC. Using this data, the intruders were able to create new online profiles and gain access to account documents for three customers, the agency said.
One of the impersonated advisors shortly received an email notification and told Voya, which took action, but the damage had already been done.
The SEC said weak points in the firm’s cybersecurity protocol allowed the interlopers to get through, which included two cases where they used phone numbers that had been previously linked to fraudulent behavior.
This is the regulator’s first time charging violations of its “red flags” identity theft rule, which requires firms to develop a written identity theft prevention program. Voya was also charged with violating the SEC’s “safeguards rule” due to its failure to protect customer records and information.
“VFA failed in its obligations when its deficiencies made it vulnerable to cyber intruders accessing the confidential information of thousands of its customers,” said Stephanie Avakian, co-director of the SEC enforcement division.
Another issue the SEC had with Voya was its inability to apply cybersecurity procedures to systems used by independent contractors, the biggest chunk of its workers. The company said it would hire a consultant to review its procedures.
Robert A. Cohen, chief of the SEC enforcement division’s cyber unit, said the case is “a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models.” He noted that firms “also must review and update the procedures regularly to respond to changes in the risks they face.”
“Voya takes fraud and security matters seriously, and we invest significantly each year in our programs to protect the accounts and personal information of customers. We also know that independent advisors and third parties who work with us are increasingly the targets of fraud,” a Voya spokesperson told CIO in an emailed statement. “As part of our efforts, Voya continues to work with and support these partners to help protect their identity and client information.”
As for what the firm, institutional investors, and their respective organizations need to do when a cybersecurity threat appears, Alan Brill, Kroll Associates’ senior managing director of cyber risk, told CIO that they should get a copy of the SEC order and have both their IT and compliance teams examine the situation and go about fixing immediate issues before the problem gets worse.
“Once you’ve got that going, I think you’ve got to ask yourself that question of how do I know what the real status is?’” he said, adding that the best way to approach the situation is to admit that “not knowing for real and for sure the state of cybersecurity within your organization is simply not acceptable.”
“The risks are now too great,” Brill said.
To prevent future issues for Voya or in other organizations, the cybersecurity expert suggested one look at the company’s standards for these instances.
“In today’s business, we can’t say that cybersecurity is the responsibility of the CISO [chief information security officer] or the IT department. It’s everybody’s responsibility,” said Brill.