Financial advisory firms rely heavily on third-party vendors to streamline operations, connect with clients, and enhance service offerings. These vendors, often forming a financial firm’s supply chain, include robo-advisors, customer relationship management (CRM) systems, and other software services critical to client interactions and internal management. However, as the case of Voya Financial Advisors reveals, inadequate oversight and security measures can expose firms to substantial cybersecurity risks, regulatory fines, and reputational damage.
In this article, we explore what happened to Voya Financial, how security gaps in a third-party vendor led to a million-dollar fine, and what lessons investment firms can learn to protect themselves.
Case Study Breakdown: What Happened at Voya Financial?
In September 2016, the Securities and Exchange Commission (SEC) ordered Voya Financial Advisors, Inc. to pay a $1 million penalty after determining that the firm violated crucial cybersecurity regulations. The penalties were linked to Voya’s failure to adequately secure its systems against unauthorized access, exposing sensitive client data in a breach that could have been prevented. The incident serves as a cautionary tale for financial advisors about the importance of managing third-party vendor risks.
The Initial Breach: How Hackers Gained Access to Voya Financial
In April 2016, hackers targeted Voya by exploiting security weaknesses in the CRM system provided by one of their third-party vendors. These cybercriminals impersonated Voya-affiliated contractors and contacted the CRM’s tech support team, requesting password resets for Voya user accounts. Despite minimal verification, the vendor’s support staff complied, granting the hackers access to sensitive client data. The hackers were then able to obtain usernames and passwords, giving them free rein over Voya’s network and allowing them to access:
- Social Security Numbers
- Tax Documentation
- Financial and Personal Data
What’s particularly shocking is that the hackers were able to request and receive information on more than one occasion. They manipulated the vendor’s tech support team repeatedly, exploiting insufficient authentication protocols to maintain their access.
The vulnerability didn’t just end with client data; hackers also had control over systems that allowed them to initiate trades, putting Voya and its clients at significant financial risk.
Voya’s Response: Immediate Action and Missed Opportunities
Upon discovering the breach, Voya’s IT department took steps to mitigate the damage by resetting the compromised accounts’ passwords. Unfortunately, this simple measure did not prevent the hackers from accessing the network again. The IT team assumed that by resetting passwords, they would sever the hackers’ connection. However, due to a lack of multi-factor authentication (MFA), the hackers could resume access simply by requesting another reset.
The attackers only ceased their activities voluntarily. After they exited Voya’s network, the company took further steps, blocking two IP addresses identified as malicious through their Intrusion Prevention and Detection Systems (IPS/IDS). While this action did restrict the hackers from re-entering, it did not address the systemic issues within Voya’s and the vendor’s authentication policies that allowed the breach to happen in the first place.
Post-Breach Actions: Compliance Failures and Regulatory Fallout
Once the dust settled, Voya implemented stricter security measures. They revised their password reset policies and added new protocols for tech support verification. Voya also informed affected clients and offered one year of free credit monitoring to mitigate potential damage. To address internal security lapses, Voya appointed a new Chief Information Security Officer (CISO) and enhanced internal controls.
However, the SEC had already taken notice. By the time Voya took corrective action, the damage had been done. Voya’s failure to protect sensitive client data and to properly oversee third-party vendor policies resulted in a $1 million fine and a consent order mandating stricter cybersecurity measures.
Regulations Violated: Understanding SEC’s Requirements for Financial Advisors
The SEC determined that Voya had violated two major regulatory rules in place to safeguard client data and prevent identity theft:
- Regulation S-P (Safeguards Rule)
Regulation S-P requires financial firms to develop, implement, and maintain written policies and procedures to protect client data. The rule mandates appropriate measures to prevent unauthorized access to or use of customer records and information. Voya’s failure to enforce stringent access control and oversight over third-party vendor protocols led directly to the breach and violated this rule. - Regulation S-ID (Identity Theft Red Flags Rule)
Regulation S-ID requires financial institutions to establish identity theft protection programs. These programs are intended to identify, detect, and respond to potential red flags that could signal identity theft. In Voya’s case, the absence of multi-factor authentication and lack of verification protocols allowed hackers to repeatedly bypass security controls without detection, breaching this regulation.
These violations underscore the importance of robust, proactive cybersecurity measures, particularly for sensitive financial data.
Lessons Learned: Mitigating Third-Party Vendor Risks in Financial Firms
The Voya Financial breach highlights how critical it is for financial firms to address vendor risk management. Third-party vendors provide essential services, but they also pose unique risks. When a vendor fails to secure its systems properly, it can create vulnerabilities in its clients’ networks.
1. Implement Strong Authentication Measures
One of the most glaring issues in the Voya incident was the lack of multi-factor authentication (MFA). Simply requiring users to authenticate with a second factor, such as a one-time passcode generated by an authenticator app (e.g., Google Authenticator), could have thwarted the hackers’ repeated attempts to access Voya’s systems.
By adopting MFA, firms create an additional layer of security that makes unauthorized access significantly more difficult, if not impossible, for attackers who lack the physical device where the code is generated.
2. Conduct Regular Security Audits of Third-Party Vendors
Financial advisory firms must assess their vendors’ cybersecurity practices before and during the partnership. Regular security audits can help identify vulnerabilities, assess policy gaps, and ensure that vendors adhere to security standards.
A proactive approach includes requesting and reviewing vendors’ information security policies, understanding their data protection procedures, and ensuring they align with SEC regulations. Firms should also perform ongoing assessments to confirm that their vendors adapt to evolving security threats.
3. Train All Employees on Cybersecurity Protocols
A comprehensive cybersecurity training program can prevent human error, which is often exploited by attackers. Tech support staff should be trained to verify credentials thoroughly, ensuring that only authorized personnel can request sensitive account information or password resets.
Training should extend to all employees, not just those in IT or tech support. By fostering a security-aware culture, firms reduce the risk of phishing, social engineering, and other tactics that hackers use to manipulate staff into revealing sensitive information.
4. Establish a Clear Incident Response Plan
Financial firms should have a documented incident response plan to handle breaches effectively and efficiently. Voya’s delayed response allowed attackers to exploit their systems repeatedly. A well-structured incident response plan includes steps for isolating affected systems, notifying relevant parties, and coordinating with cybersecurity experts to prevent further compromise.
Incorporating third-party vendor management into the incident response plan is essential. Financial firms should include clear protocols for terminating access, identifying affected accounts, and preventing re-entry following an initial breach.
5. Enforce Continuous Monitoring and Alerts for High-Risk Systems
High-risk systems that contain sensitive client information or can authorize financial transactions require continuous monitoring. This includes setting up alerts for suspicious login attempts, unusual IP addresses, and rapid password reset requests. By actively monitoring these systems, firms can detect unauthorized access attempts in real-time, allowing for faster containment.
6. Partner with Vendors Aligned with Your Regulatory Needs
Voya’s vendor was operating under different standards, which led to a misalignment in security protocols. Financial firms must ensure that their vendors have security policies that meet or exceed their own regulatory requirements. Engaging vendors who specialize in financial services and understand FINRA and SEC rules is essential for compliance and risk mitigation.
Conclusion: Protecting Your Firm Against Third-Party Vendor Risk
The case of Voya Financial demonstrates the importance of strict oversight in third-party vendor management. Poor security practices on the vendor’s end ultimately cost Voya $1 million, not to mention the damage to its reputation and the potential for lasting mistrust among its clients. Financial firms must prioritize vendor risk management as part of their overall cybersecurity strategy.
By implementing multi-factor authentication, conducting regular audits, training employees, establishing an incident response plan, and partnering with compliance-aware vendors, financial advisors can better protect themselves from the severe consequences of vendor-related breaches. Proactively addressing these areas can ensure that your firm meets regulatory requirements and maintains client trust in today’s increasingly complex digital landscape.
Sources:
SEC Litigation Against Voya Financial Advisors: SEC.gov