Cybersecurity and information security protocols have become industry-wide priorities, both to the regulatory bodies that oversee our business practices and to the customers who trust that firms' policies and procedures are up-to-date and robust.
This same principle extends also to a firm's employees, who need their personally identifying information ("PII") kept safe, as well.
Voya Financial Advisors Inc. recently informed its associated brokers and financial advisers that a system glitch on a biography webpage had put their Social Security Numbers at risk of exposure.
On the Voya Financial "Find a Professional" webpage, a visitor could paste the direct link assigned to a Voya broker's biography page into a text message or on social media, and the broker's full Social Security Number would be displayed in the link.
This error left sensitive data vulnerable to exploitation and existed from early April 2016 until late November 2018, though the firm reports no evidence exists that the information was exploited for malicious purposes.
Voya International: Another Incident
This failure to secure important information at Voya Financial is the latest instance in a series of similar errors across the financial industry that have left sensitive information vulnerable.
In fact, this is Voya International's second incident in recent months. In September, the firm agreed to pay $1 million in damages to the Securities and Exchange Commission for a failure in security protocols, including its incident response plan, that allowed criminals posing as independent advisers to call the firm's support line and request new passwords. The attackers then accessed sensitive PII of 5,600 Voya Financial customers.
Cybersecurity: A Priority That Is Here to Stay
Our hope is that, by highlighting incidents like this one, more firms, broker-dealers, and RIAs will come to understand the attention that robust cybersecurity measures and effective incident response plans require across our industry.
The OCIE (Office of Compliance Inspections and Examinations) continues to remind us of this need by repeatedly listing cybersecurity and information security in their examination priorities.
It is critical that firms have effective measures to identify issues rapidly, respond to them effectively, and have a plan to correct the problem through remediation and increased training for employees in order to cut down on recidivism.
Enforcement bodies are not likely to take repeated infractions lightly.
Should your firm require assistance in reviewing your policies and procedures covering the use of technology, the development of a proper incident response plan, information security testing, or counsel in the event of a security breach, contact Jacko Law Group, PC.
Our attorneys are here to help with any questions or concerns. Let our decades of experience work for you.
Add a comment
- New SEC Climate Change and ESG Task Force to Enhance Investor Protection by Red Flagging Examples of Corporate Greenwashing
- What Investment Advisers Must do to Qualify for the DOL’s Prohibited Transaction Exemption for IRA Rollovers
- SEC Division of Examinations Cites Enhanced Focus on Business Continuity Processes, Protection of Retail Investors and ESG-Related Risks Among its 2021 Priorities
- FINRA Report Suggests Growing Need for Enhanced Risk Management in Cybersecurity and Outside Business Activities
- Deadline Approaching: Considerations for Your Form ADV
- Leveraging JLG's Latest Service: Real Estate
- Safeguarding Your Firm Against Fraudulent or Improper Recognition of Revenue
- New Advisers Act Advertising Rule to Undergo Further Review
- Investors, Advisers Must be Mindful to Comply with New U.S. Ban on Estimated $1 Trillion of Chinese Securities
- Your First Meeting on the SEC’s New Investment Adviser Marketing Rule Should Address These Topics
- Securities and Exchange Commission (SEC)
- Investment Advisers
- Regulatory Examinations
- Policies and Procedures
- Social Media Marketing
- Due Diligence
- Transition Services
- California Consumer Privacy Act (CCPA)
- Aging Clients
- Advisers Act
- Virtual Currency
- Dodd-Frank Act
- Ponzi Scheme
- Office of Compliance Inspections and Examinations (OCIE)
- Broker Protocol
- Securities Law
- Form U5
- Private Equity
- Private Funds
- Hedge Funds
- Regulation Best Interest
- Personally Identifiable Information (PII)
- Government Shutdown
- Risk Alert
- Exchange-Traded Funds (ETFs)
- Investment Company Act
- Rule 6c
- Wells Fargo