Anyone who has ever been the victim of identity theft or bank fraud knows how bad the experience can be.
Even if money isn’t immediately stolen from an account or purchases racked up on a credit card, the possibility of that eventually happening is something that can haunt people for years.
For investors, the experience can be particularly painful if personal data and information about your investment accounts and assets get into the wrong hands. Securities and Exchange Commission Chair Mary Jo White called cybersecurity the biggest risk to the financial system, noting that stock exchanges, dark pools and clearinghouses historically didn’t have adequate systems and policies in place to deal with the threat.
This is not just cybercrime experts raising the alarm,” said Brian Edelman, CEO of technology advisor Financial Computer. “This is the head of the SEC saying the system is at risk. These are real threats.”
Cybercrime continues to skyrocket across all sectors of the economy as technology and the internet become more integral to how businesses and individuals operate. Along with very high-profile data breaches at huge companies such as Home Depot, Target and JPMorgan Chase, hundreds of other firms are dealing with thousands of attacks both from inside and outside their organizations.
There have been 420 data breaches at U.S. companies and organizations through May 24 of this year, exposing more than 12 million personal records, according to the Identity Theft Resource Center, a nonprofit organization tracking cybercrime. Ten of those breaches occurred at financial service companies, including Charles Schwab, TD Bank and HSBC Bank USA, with at least 4,800 records exposed. In seven of the 10 incidents, the extent of the exposure of information was unknown.
Financial advisors and their firms are as much a target as anyone.
“There’s a laser focus on the regulatory front regarding cybersecurity preparedness. You don’t need a degree from MIT to deal with this.”
-Bryan Baas, managing director of risk oversight and controls at TD Ameritrade Institutional
“It used to be people only worried about wiring money to Nigeria,” said Bryan Baas, managing director of risk oversight and controls at TD Ameritrade Institutional, which serves as custodian for more than 5,000 financial advisors. “Criminals change their tactics. So many events have happened now that it’s at the top of everyone’s minds,” he said.
That includes securities regulators. Both the SEC, which oversees registered investment advisors and the Financial Industry Regulatory Authority, which regulates broker-dealers, conducted “cybersecurity sweeps” of advisors and broker-dealers in 2014. Their assessments of firm policies and controls were issued in a report last September.
The Office of Compliance Inspections and Examinations has issued guidelines for what is expected of firms regarding their defenses against cybercrime. Advisory firms, take note: The examinations and potential repercussions could be much more severe the second time around.
“There’s a laser focus on the regulatory front regarding cybersecurity preparedness,” said Baas, who helps advisor clients establish secure networks and appropriate policies to ensure data security. “You don’t need a degree from MIT to deal with this. You just have to know what’s expected of you and hire someone to help if needed.”
The experience of R.T. Jones Capital Equities Management, a small RIA based in St. Louis, provides a cautionary tale. Last September it was slapped with a $75,000 fine stemming from a data breach originating in China in 2013 that exposed personal information of about 100,000 people — not all of them clients of the firm. There has been no evidence that any of the individuals have suffered financial harm.
The SEC came down hard on the firm. It very publicly admonished R.T. Jones for having no written policies regarding cybersecurity, for failing to build a firewall to protect customer data, for not encrypting data it sent to a third-party web server and for not having a response plan for cyberattacks. The firm notified the individuals of the breach and offered credit monitoring services to them.
“When it happened, they did everything correctly in response, but regulators determined they didn’t have any documented plan” that would prevent such an incident, said Baas, adding, “The fine was only $75,000, but look at the reputational damage.”
R.T. Jones, which couldn’t be reached for comment, is currently fighting for its life.
For investors, cybercrime and protection from it should be a central concern when it comes to their financial advisors. Ask questions and demand proof of the answers, said Edelman at Financial Computer. A good place for investors to start is to check out the investor alert issued last fall by the Office of Compliance Inspections and Examinations.
“Investors need to know the questions to ask, and they need to get answers with proof,” Edelman said. “Every piece of information in the OCIE document can be demonstrated with proof.”
Here are five key questions about cybersecurity that both Edelman and Baas at TD Ameritrade Institutional suggest investors should ask their financial advisors:
What are you doing to protect my personal information?
Do you regularly assess the security of your information network and the potential risks from cyberattacks?
Other than your employees, who else that you work with has access to my data, and how do you monitor those outside vendors as to their cybersecurity policies?
Do you have a written cybersecurity plan, and can I see it?
Are all devices that have access to my information encrypted?