Cybersecurity and information security protocols have become industry-wide priorities, both to the regulatory bodies that oversee our business practices and to the customers who trust that firms’ policies and procedures are up-to-date and robust.
This same principle extends also to a firm’s employees, who need their personally identifying information (“PII”) kept safe, as well.
Voya Financial Advisors Inc. recently informed its associated brokers and financial advisers that a system glitch on a biography webpage had put their Social Security Numbers at risk of exposure.
On the Voya Financial “Find a Professional” webpage, a visitor could paste the direct link assigned to a Voya broker’s biography page into a text message or on social media, and the broker’s full Social Security Number would be displayed in the link.
This error left sensitive data vulnerable to exploitation and existed from early April 2016 until late November 2018, though the firm reports no evidence exists that the information was exploited for malicious purposes.
Voya International: Another Incident
This failure to secure important information at Voya Financial is the latest instance in a series of similar errors across the financial industry that have left sensitive information vulnerable.
In fact, this is Voya International’s second incident in recent months. In September, the firm agreed to pay $1 million in damages to the Securities and Exchange Commission for a failure in security protocols, including its incident response plan, that allowed criminals posing as independent advisers to call the firm’s support line and request new passwords. The attackers then accessed sensitive PII of 5,600 Voya Financial customers.
Cybersecurity: A Priority That Is Here to Stay
Our hope is that, by highlighting incidents like this one, more firms, broker-dealers, and RIAs will come to understand the attention that robust cybersecurity measures and effective incident response plans require across our industry.
The OCIE (Office of Compliance Inspections and Examinations) continues to remind us of this need by repeatedly listing cybersecurity and information security in their examination priorities.
It is critical that firms have effective measures to identify issues rapidly, respond to them effectively, and have a plan to correct the problem through remediation and increased training for employees in order to cut down on recidivism.
Enforcement bodies are not likely to take repeated infractions lightly.
Should your firm require assistance in reviewing your policies and procedures covering the use of technology, the development of a proper incident response plan, information security testing, or counsel in the event of a security breach, contact Jacko Law Group, PC.
Our attorneys are here to help with any questions or concerns. Let our decades of experience work for you.