A month ago, I wrote a Compliance Week column about Vanguard’s disquieting cybersecurity stumble in February, and its ill-fated state of denial. Well, Vanguard is in the news again and it looks like they are making the same mistakes they always have. Some quick history:
Vanguard’s February Cybersecurity Stumble. Back in February, Vanguard mistakenly sent 71 emails pertaining to different customer transactions to a random Vanguard customer who was not associated with the Vanguard customers ( and who also tweeted about the incident).
A Vanguard spokeswoman told the Street.com (who broke the story) that the incident was a minor fluke, and played it all down, asserting that the emails contained merely names and transaction confirmation details.
Vanguard’s flawed response demonstrated how, too often, SEC registered entities can underestimate just how difficult it is to manage customer data-related predicaments, whether the result of breaches or technical glitches.
For financial firms like Vanguard, the mishandling of any sort of data mishap can trigger for-cause regulatory examinations; state and federal investigations; customer class actions and innumerable unintended consequences. Moreover, the enhanced regulatory scrutiny together with the typically unfavorable media coverage following any sort of customer data mishap can lead to investor flight, management shake-ups and even c-suite firings.
To handle the data security breach appropriately, my take was that:
- Vanguard’s board should have engaged a former SEC senior official from an independent and neutral law firm (never engaged before) together with a digital forensics firm to conduct an investigation and report to the board its findings;
- Vanguard should have reported the investigation’s progress to the SEC every step of the way; and
- Vanguard should have disclosed the details of the incident in public filings, press releases and to those persons compromised.
It is unclear, based on public information, if Vanguard took any of these actions.
Vanguard’s Second Stumble. This week Vanguard experienced yet another technological breakdown with its customers and seems stuck in the same rut, unwilling to learn from their previous mistakes. Here is what happened:
After seeing a Tweet by veteran financial reporter Susan Antilla, Reuters reported a second technological problem between Vanguard and its customers. This time certain Vanguard Group clients woke up to find an inflated account balance displayed on their Apple mobile devices, a “hiccup that left at least one user cheering the apparent extra funds.”
Vanguard claims that the false information was seen by people using Vanguard software applications on their iPhones, iPads or iWatches and that the impact was a “modest number overall.” Per Vanguard, on average just 16 percent of logons to Vanguard.com come from an Apple device and of those about 11 percent visit the personal performance page where they would have seen the inflated balance.
The Tweets. Here is a tweet from an impacted Vanguard customer and here is Vanguard’s tweeted response to that customer.
Although Twitter has become an amazing customer relation’s tool, it can also be a bane for companies like Vanguard. For the second time this year, a Vanguard customer took to Twitter to voice a concern and the media picked up on the story, which demonstrates that no company can sweep data problems under the rug. Whether orchestrated by cyber-attackers, former or current employees, or outsiders, data compromises and technological calamities will always come to light, be it in a whistleblower complaint to the SEC or be it on social media like Twitter.
Vanguard might have even gotten off easy this time. Had the customers woke up to find their account balances significantly decreased (as opposed to significantly increased), and taken to Twitter to voice their concerns, it would have been front page news and could have caused a panic and an old fashioned “ bank run” on the famed mutual fund family.
Independence and Transparency. No doubt, SEC examiners will probe Vanguard’s most recent incident and it will be déjà vu all over again for Vanguard. Vanguard will have to experience a second round of IT headaches; unanticipated costs; management drag; and other related fallout. Ironically, Vanguard will have to endure the onslaught of destructive attention and extraordinary expense not because of its mistakes, but rather because of its inability to manage its mistakes properly.
Once again, Vanguard seems to be investigating itself – never a wise move, especially for SEC regulated entities. Having the same internal team that is responsible for a data security failure or a technological glitch also investigating that event is an inherent (and obvious) conflict of interest.
Strong corporate leaders seek answers from independent and neutral sources of information. Otherwise, risks are not properly exposed and examined, and they become exacerbated rather than assuaged. Remarkably, so many financial firms fail to grasp this critical necessity for independence.
For instance, cybersecurity at SEC-registered entities like Vanguard has become a top priority for the SEC inspections group and enforcement division. Every SEC-registered firm, including Vanguard, should anticipate the SEC’s increasing commitment to regulating cybersecurity. This means investigating data mishaps above all else, with independence and neutrality, a notion the SEC in particular respects and appreciates.
Vanguard’s Public Relations Failures. After the February data security episode, Vanguard spokeswoman Arianna Stefanoni Sherlock called the incident “a one-time, isolated matter” due to a “system error.” After this week’s customer account balance errors, Vanguard spokeswoman Katie Henderson Hirt attempted a similar shrug, characterizing the problem as an “application glitch.”
Neither of Vanguard’s responses was very illuminating or particularly comforting — and neither response inspired confidence. The Vanguard public relations team handling each incident sadly botched the company’s reaction — though the spokespersons probably do not bear the brunt of all of the blame. The PR team is also communicating the company line, which was probably dictated (as it should be) by Vanguard’s legal team.
But here is the lesson Vanguard’s PR and legal team missed: Whether mischaracterizing the value of a customer account or inadvertently releasing confidential customer information, the impact upon customers, regulators, partners, employees and other relationships and fiduciaries is grave. Even if these incidents were truly inconsequential, without further information from Vanguard, no one will believe that either was a minor fluke, merely because Vanguard says so. There are always too many outstanding, unrequited questions, which can never be answered accurately and truthfully until the completion of an objective, independent and thorough investigation.
Moreover, after over 20 years of conducting investigations of so-called technological mishaps and data security incidents, one notion that I have learned the hard way is this: Facts gleaned in the first few days after an incident are often wrong and can lead to embarrassingly erroneous (and even career-killing) conclusions.
Instead of trying to characterize the incidents, Vanguard should have simply stated that they have undertaken an independent investigation and that they would report all findings to their customers, their regulators, their partners, their employees and every other relevant constituency. By navigating problems with integrity and transparency, Vanguard can shift the tides in their favor, seizing the opportunity to reinforce strong business ethics; fierce customer dedication; and steadfast corporate governance.
There is a terrific scene in Ron Howard’s 1995 film Apollo 13, which demonstrates this notion of “successful failure” so brilliantly. The film, which takes place in 1970, shows the trials and tribulations of the Apollo 13 crew, mission control, and families after a near-fatal in-space accident cripples the space vehicle. NASA must devise a strategy to return Apollo 13 to Earth safely in the penultimate crisis management situation. Just before the most intense moment, when it remains unclear whether the astronauts would survive their desperate re-entry flight back to Earth, several senior NASA officials and spokesman are mulling over the impact of the accident. One of them states, “I know what the problems are. This could be the worst disaster NASA’s ever experienced.” Ed Harris playing Gene Kranz, the famed NASA Apollo 13 flight director, overhears the misguided discussion and interrupts, firmly declaring, “With all due respect, sir, I believe this is gonna be our finest hour.”
The Lesson for Vanguard. Data security incidents, technological “glitches” and the like can happen anytime and remain an unfortunate fact of life for every firm, especially SEC registered entities like Vanguard. Consequently, what’s most important is often the response to an incident rather than the incident itself. So many companies fail to appreciate this subtle but critical notion.
It may be hard to believe, but when handled correctly, a customer data compromise like Vanguard experienced can actually evolve into the kind of successful failure that not only strengthens technological infrastructure, but also reinforces a firm’s commitment to customers, partners and other fiduciaries. Ironically for Vanguard, their recent data security problem and application failures created such an opportunity. Vanguard’s crisis management team just missed it (both times).