Providing investors with a myriad of low-cost investment options has been the primary mission at the Vanguard Group for many years. The investment management titan is obviously doing something right as they are the largest mutual fund provider and the second largest ETF provider in the world. Vanguard founder John C. Bogle is known as the originator and the main force behind the popularization of index funds.

However, according to a whistleblower lawsuit filed by a Vanguard employee earlier this year, the fund giant is is too cheap too customer-focused to bite the bullet and mandate strong cyber security policies. Moreover, a dramatically increased number of fraud cases involving Vanguard clients last year seems to support the whistleblower’s claims, reports Susan Antilla of The Street.

vanguard

Details on Vanguard whistleblower lawsuit

Of note, the employee filing the whistleblower claim is not just some disgruntled call center employee from India, it is Vanguard Group’s client relationship manager, Karen Brock.

Brock claims Vanguard’s password policy is too weak and makes it easy for slick cybercriminals to break into customer accounts. She says she could log into her own Vanguard account despite intentional errors to her security (password) answers.

Moreover, she could reset her password after entering typos of between one and two characters on three separate security answers. Although the process did require providing a date of birth, zip code, the last four digits of my Social Security number and email address, experts say that information is relatively easily found or stolen online.

Experts point out that Vanguard is stuck between a rock and a hard place as quite a few customers complain they don’t want to spend a lot of time accessing their money, while others protest on social media about weak security policies and client vulnerabilities.

However, from Brock’s perspective, Vanguard clearly leans too far in the direction of convenience versus security (and costs to Vanguard). She points out that customers who can’t access their accounts because of security end up making more calls to customer service, which costs the firm more money. Brock says that she believes the firm’s low-expense credo is being foolishly pursued at the expense of security.

Statement from Vanguard

Vanguard spokesperson Arianna Stefanoni Sherlock commented in an email that Vanguard had investigated Brock’s claims “and we remain confident in our security practices and our efforts to keep our clients’ confidential information and their assets safe.”

Maybe fast customer service should not always be the priority

“I hear over and over when I’m onsite with financial firms that customers don’t want additional security,” because it slows down their ability to do transactions, noted John Reed Stark, a security consultant and ex-chief of the SEC‘s Office of Internet Enforcement. “Maybe enhanced security requirements should be like seat belt laws, where everyone is required to be inconvenienced to protect them from themselves.”