The Securities and Exchange Commission recently announced its first ever cyber-related enforcement action in a case that all companies should look at as a refresher on cybersecurity hygiene. In the Matter of Voya Financial Advisors, Inc. was brought against the publicly traded company that manages over $500 billion after a security breach through several of its brokers acting as independent contractors for the company. These brokers typically accessed Voya clients’ PII through a password protected web portal while using their own IT equipment and networks. However, Voya provides all IT training and support, including a help line in the event a broker experiences any technical issues.
Despite several opportunities to avoid or minimize the breach, one or more individuals were able to gain access to 5,600 Voya clients’ PII over the course of six days in April of 2016. In what is an all too common theme in security breaches, the intruder started with a decidedly low-tech approach – he called the IT support line and asked to change usernames and passwords of broker accounts. The IT support staff not only did so with only basic verifying information, but also provided temporary passwords over the phone. When one broker notified IT that he had received a password reset email without making such a request, it wasn’t until the next day that a manager emailed the IT staff instructing them to cease providing this information over the phone. In the interim, the intruder continued using the accounts at will to access extensive PII belonging to Voya clients.
Rather than casting aside this case as one that “would never happen to me,” companies should look carefully at the facts of In re Voya for its many cybersecurity lessons to avoid assuming their own cyber defense and breach response policies are airtight.
- Specificity in Cybersecurity Policies and Procedures
Voya was wise enough to create a cybersecurity policies and procedures manual that included information on mechanisms for protecting information and responding to breaches. However, it turned out to lack specificity in several vital areas. For example, Voya conducted regular scans of contractors’ equipment for anti-virus software, encryption, and software updates. However, the manual had no follow-up mechanism for equipment that failed the review. This led to approximately 30% of devices exhibiting critical failures, without anyone tasked with actually remedying the problem.
- Review Cybersecurity Policies and Procedures at Least Annually
While gaps in policy manuals such as the above will occur from time to time, the more often they are reviewed, the more likely they are to be caught. In Voya’s case, the SEC found that their policies and procedures relating to a particular Identity Theft Prevention Program had not been substantively updated since 2009. It surely goes without saying, but a close to ten year gap between substantive updates to any portion of a cybersecurity manual is unlikely to survive any regulatory scrutiny. Cybersecurity Policies and Procedures should be reviewed at least annually, if not more often, to ensure that they are current.
- Regular Training for Technology Professionals
Data breach prevention and response is only as effective as the professionals who implement them, so the IT staff must have up to date information on company networks and systems. After the Voya breach was detected and a primary suspect identified by IP address, his unauthorized access continued because the IT staff was under the false impression that changing the passwords again would automatically terminate all active sessions. It did not, and so the intruder continued his exploration of Voya even after they had “resolved” the issue.
- Human Error Is the Biggest Cybersecurity Weakness
This training gap is yet another reminder that many breaches would not have occurred without a nontechnical lapse in human judgment. The Voya IT support staff was not supposed to be providing password resets over the phone, and yet the intruder was able to access multiple accounts through the unsophisticated method of simply asking for new login information. The proliferation of technology in virtually every aspect of leads to many people thinking they already keep their information safe, don’t have access to anything a hacker would “want,” or assume that it’s someone else’s job to protect their accounts. The only way to combat this is through regular training that both refreshes old policies and gives notice of the latest cybersecurity threats.
- A Breach Leads to a Multi-Front War
The final lesson from the SEC’s action against Voya is the very fact that the action was brought by a securities enforcement agency. Once a breach occurs, a company will have to fight a battle on multiple fronts, not all of which are obvious. In addition to the many state, federal and international agencies specifically charged with enforcing data security laws, other organizations with oversight authority will investigate as well. The SEC is certainly not specifically tasked with enforcing cyber laws, but nevertheless does through its general oversight of the securities industry. It is not unique in this regard, and each of these enforcement angles exist before even considering the likely civil litigation from individuals whose PII was at risk. Having an established team of professionals across various fields is therefore a prerequisite for preparing data security policies and procedures, as well as for responding to a potential breach.
In the Matter of Voya had several security lapses that, taken together, look particularly poor in hindsight. However, each individually could have been only a minor error and resolved before any damage was done. It is likely that many companies would find at least one of these mistakes in their own protocol, and so the lessons of Voya should be used as a check-up for everyone’s cybersecurity hygiene. A false sense of security otherwise could lead you to the same hindsight conclusion that your data was only a few cracks away from slipping into the wrong hands.