Since the establishment of the SEC’s Whistleblower Program in 2011, there have been some occasional questions as to the scope and limitations of the federal agency’s ability to grant awards to whistleblowers. For example, do disclosures to the SEC about cybersecurity qualify for whistleblower awards?
A recent enforcement action taken against Voya Financial Advisors, Inc. (VFA) answered this question with a “yes.” VFA will pay $1 million to settle charges that it did not do enough to protect information about advisory clients and brokerage customers.
Issues behind the settlement
VFA’s standard modus operandi was to provide independent contractor representatives (which make up the majority of its workforce) access to personal customer information through its own web portal, which could be accessed from personal devices so long as they had an internet connection.
However, during six days in April 2016, multiple unknown people gained access to this web portal by impersonating VFA representatives and calling the technical support line to reset their passwords. After the passwords were reset, the people posing as VFA contractors were able to get temporary passwords, giving them access to personal information of thousands of customers.
Furthermore, after the breach occurred, VFA did not address the deficiencies in its cybersecurity that allowed this to happen. According to reports, one adviser alerted VFA that he had not requested the new password that was put on his account, but more advisers were still impersonated after this official report.
With how much business is done online and remotely these days, it’s crucial for companies to do everything they can to protect confidential information. For further information on the SEC’s whistleblower program, meet with a skilled attorney at Kardell Law Group.