The financial markets here in the United States have reached all time highs just last week, and now there are starting to fall again because of rising interest rates. I am nowhere near to being a financial analysis expert, but I can tell you one thing of which I know about: How the financial industry is being impacted by cyber-attacks, something I have not written too much about lately.
It seems like that the Securities and Exchange Commission (SEC) is now starting to enforce a rule it created five years ago, but never followed up with it until now. That is, requiring financial investment firms, banks, and other related financial institutions to pay closer attention to the real possibilities of Identity Theft.
Its first form of this enforcement came against a firm known as Voya Financial Advisors, the investment advisory unit of Voya Financial. Apparently, the firm for unintentionally allowed hackers to access social security numbers, account balances and even the confidential details of client information and data.
For a period of six days back in 2016, the cyber attackers that were involved in this hack called the firm’s helpline and acted as Voya’s independent investment brokers, who make up much of the workforce of this company.
Even despite the fact that Voya’s security system tracked some of the telephone numbers fraudulent, they were still able to convince the helpline staff at Voya to reset their passwords and from there, provide new ones over the phone.
With these new passwords, the cyber attackers were able to gain the confidential information/data of over 5,600 customers, and even create new online accounts from them. Also, the cyber attackers were able to alter the customer phone numbers and their mailing addresses so that account statements and financial trade confirmations could be sent to a fictitious address without even triggering a fraud alert.
In many of these cases, the cyber attacker was able to create a phony email address ending in the domain of “@yopmail.com”. This in fact is a temporary email service that lets users create short term email addresses. By using this system, automated verification messages (such as trade confirmations) were not being sent to the real customer.
To add even more surprise to this, apparently Voya had an Identity Theft program in place about ten years ago, but it was never implemented. It was never upgraded, and because of the lack of its implementation, it fell far below the compliance requirements of the Dodd-Frank Legislation, which can be seen here at this link:
This ID Theft plan was never approved by the Board of Directors or even the C-Suite, it was even completely ignored by the IT Security staff as well. The actual SEC financial settlement with Voya has never been publicly released (rumors have it pegged at $1 Million), but as part of the penalties imposed, Voya has to clean up its so called so cyber hygiene.
And for the first time in its history, the SEC has even mandated that a cyber security firm keep a watchful eye over the practices of Voya, and to make sure that it comes into compliance as well.
It should be noted that all of these actions that have been taken by the SEC against Voya fall under the “red flags rule”. This completely different than the General Data Safe Security regulation and various Safety Guidance’s, which can be seen at the below links:
But, it seems like that the SEC is finally waking up slowly, and issued its first set of cyber security enforcement actions against Yahoo (in which over 500 million user accounts were stolen by cyber attackers). When Altbaba bought out Yahoo, they were subsequently fined $35 million for the late disclosure of this Security breach.
My thoughts on this?
One, I think it is totally reprehensible that an enforcement agency like the SEC has been so late to the game in terms of enforcing its compliance rules and regulations. There is simply no excuse for it. I mean they had this stuff in place well over five years ago, and how come they did not step up policing action back then against cyber attackers?
I mean cyber threats are nothing new, they have even been going on even well before five years ago. I really think that some of Congressional Oversight Board (or something similar in nature) needs to be created to makes sure that agencies like the SEC are doing its enforcement jobs.
Second, equal blame has to also fall on Voya. They too had programs in place but never implemented them either? That is totally ridiculous. This is something that the C-Suite should be help completely responsible for, and in fact, they all should be fired.
But this comes down to the question now is how much should the C-Level Exec be held for a Cyber-attack that occurs to their firm? This getting blaring attention from all over Corporate America.
Instead of worrying about the Russians meddling with the midterm elections, why can’t we instead worry about them meddling into Corporate America, where the threat is real and imminent. But as one of my podcast guests said, it may take another 9/11 attack on the cyber level in order for us to get out of the disillusionment that cyber threats are not real.