Where the Real Cybersecurity Risk Comes From

The leaders of the winning Broker-Dealers of the Year share their approach to cybersecurity and where the biggest vulnerability is

Lon Dolber shares his firm's approach to cybersecurity at the 2015 Broker-Dealers of the Year roundtable in August. (Photo: Tom McKenzie) Lon Dolber shares his firm's approach to cybersecurity at the 2015 Broker-Dealers of the Year roundtable in August. (Photo: Tom McKenzie)

Scenario 2: One of your vendors discloses they’ve suffered a data breach, potentially exposing your clients to losses. How do you respond with your vendors, reps and clients? Does your business continuity plan include cybersecurity steps — or insurance?

Lon Dolber, American Portfolios, Division III: [It’s] just like business continuity [planning]. You have to be able to do fire drills. If you don't have a playbook and you don't do fire drills you're not going to know what to do. You're going to be running around like a chicken with its head cut off.

Eric Schwartz, Cambridge Investment Research, Division IV: You're pretty much required to do all that stuff by regulators now. It's not like you have an option about, ‘Well, maybe we won't have an emergency plan.’

We actually have two different sites outside of our own site. You've got to see it actually works. We had our first experience in that way when a backhoe backhoed through a fiber optic cable about a hundred miles from our building about eight years ago.

So we realized, ‘Oh, gee, it really does happen,’ But absolutely, I think that clearly cybersecurity is a critical issue for every company in the United States these days, and you have to take it seriously.

The bigger issue is a direct hack to your own site versus if it goes to a National or Pershing, say, which many of us clear through. Obviously that's going to be a big issue, but that's going to be theirs to fix. We're not going to be able to do much other than have a plan.

The playbook is really critical. Sitting around and try to figure out what you're going to do for three days isn't really a very good plan.

Dolber: I think the bigger risk is with the customers. If you think about it just mathematically, I have 110 employees, 800 advisors —I have 400,000 customers. I have very little control over their systems, but they're getting compromised and their credentials are getting compromised.

I focus heavily on that — looking at my systems and understanding that an advisor's going to get an email or a call from somebody that won't be the person they think they are. How do I handle that?

How we train our advisors is [we send] phishing emails out to our advisors. We fabricate emails like this: ‘Your name was given to me by a close friend. He says you're a great advisor. I don't know if I'm good for you, but I'd like you to take a look at some of my things,’ and there's an attachment. How many advisors are going to open up that attachment?

When they open that attachment it goes, ‘Got you. By the way, you shouldn't have done this.’ It takes them to a training center to explain why you don't open attachments from somebody you don't know.

I can't wholly leave it up to the advisors. That's why we've made some changes in the way we do things. The first thing we did, years ago, on third-party wires no matter what the amount is we have to call the customer to confirm. Brokers scream to me about that, scream bloody murder about me calling their customer. I don't care. I'm calling the customer and I'm asking them security questions.

Let me ask everybody here, how many of you have turned on two-factor [authentication] for your log in for your advisors? Or a better question, how many of you turned on two-factor for the customer logging into NetX360 client or logging into Albridge?

Industry-wide, most of us may have two-factor or second-level authentication for a broker logging into our portal, but have you turned that on for the client? Very few firms have.

Jamie Green, Investment Advisor: Sorry, two-factor is after you put your password in you say you're not a robot?

Dolber: It could be a couple of things. First, what we did is if we don't recognize the IP address or the computer, we are balking and saying, ‘We don't recognize this computer. We're going to send you a code that you have to insert.’ […] That's a second-level authentication. There are other levels.

We have 20,000 customers logged into Albridge. Have you turned on second level authentication for those customers?

Ralph DeVito, The Investment Center, Division II: I don't believe we have.

Dolber: Very few firms have. What about Pershing's NetX client? How many have turned on two-factor for that? Or a better question, how many broker-dealers have a client portal? I'm not talking about a place where the client goes and they can log in here and log in there. I'm talking where the client is just like a broker. They log in and they get authenticated by the broker-dealer and then you're passing them to the services they use.

I'm going to authenticate the client at the portal level. I'll pass them to these systems that they use. I'm not going to have them going directly to Pershing, going directly to Albridge. They're going to come through me the way a broker comes through me.

DeVito: I agree, we all have disaster plans. I have the off-site [location]. I have desks available. We cloud everything as best we can, just to make it more accessible. Our phone systems now are cloud. My cell phone can now turn into my desk phone.

But I don't know that we answered your question. Was your question, ‘If we get hacked, if one of our vendors were to get hacked and all of our 100,000 or more names are out there’ — that was your question, correct?

Danielle Andrus, Investment Center: Yes. What do you do?

DeVito: I think it comes back to relationship again. We're going to work with the vendor. If it's a third party, we're going to find out exactly which steps they're going to do. We're going to convey that to the reps to make them feel [comfortable], whether it's an email or conference call or individually in our cases. Maybe to larger firms it might be a little bit difficult to call 2,000 people.

I might actually call the majority with the staff to talk to them. Again, it's all relationships. If I had clients who were really nervous about it, we would even talk to them directly if we had to.

Dolber: You could ask for their SANS 20, a list of their SANS 20 and what they've done in each one of those 20 items. That's simple. If you look at FINRA, they did a release on cybersecurity, a 46-page memo. They gave suggestions like, ‘On your board of directors there should be a cybersecurity discussion on every meeting. You should vet your vendors.’ You don't have to do a big exhaustive study, but ask them some basic questions about their security level.

David Stringer, Prospera Financial, Division I: Based off of that document from FINRA, I think everybody's got cybersecurity [questions] that they ask of their vendors and anybody who's got your clients' and staff's personal identity information, their PII.

I think, Lon, what you said, though, is pretty accurate. The real penetration from cybersecurity is when one of your client’s email gets hacked and the guy out in Lithuania is pretending to be your client asking for you to transfer some funds.

Dolber: Ten times this year already.

Stringer: We've already had several of those.

DeVito: It seems to happen on a regular basis. I don't know that we can control that. We could try to educate our reps. That's what we're doing. We're trying to educate the reps on those areas, but on the cyber side I think we have to be more concerned about our procedures, our internal ones, too. These big firms are getting hacked, a lot of times, by a disgruntled employee. We fish inside our own firm, too, because you have to.

Dolber: I think that's smart. Do you allow an electronic signature?

DeVito: Yeah.

Dolber: So for instance, how are you authenticating the client? Are you doing it by a code, or are you doing it by LexisNexis?

DeVito: I think it's LexisNexis.

Dolber: I may be wrong, but I decided I was going to do it by the code and I'll tell you why. The challenge question takes it out of the rep's hand because it's done by LexisNexis.

I want the rep to have to give a code to the customer. Now, customers balked at that. Reps might balk at that. ‘You mean every time I send an encrypted envelope with an electronic document, I have to call the client and give them a code?’

Yeah, that's what I want you to do. I want you to call the client and give them that code because I want you to confirm with the client that they are the ones who asked for that, for whatever it is you are sending them.

DeVito: It has to get personal for them.

Dolber: Personal to the reps.

DeVito: For the reps, yeah. We're sending out the cases where we get hacked. I had a rep, he's in the airport, ready to go on vacation, he gets one of those emails that says, ‘Hi, it's John Smith. Can you send me $8,422? I need it, and I can't get it.’He comes up with some benign number that's not too large, not too odd. He tries to call the client, can't get a hold of them to do good customer service. The way this happened would have never happened internally, but it was a direct account, maybe a mutual fund. He said, ‘Here's the wire, here's the funds,’ and it went out.

So we take that case and we send it [out]. We teach the reps, this is why you need to do the code. This is why you have to double check.

Schwartz: We had one of those things as well. Same exact thing: The rep was about to go on vacation. Reps do dangerous things when they are leaving in two hours for vacation because they don't check as carefully as they should.

There are really two categories of vendors. One is where there's money that can be sent out. In other words, if it's your clearing firm, the person can get in there and get a check written. If it's Albridge, they can't. No money is going anywhere — not to say Albridge is therefore unimportant and it doesn't matter if somebody goes into an Albridge account, but it's one thing to get somebody's Social Security number or get some information about them. It's another thing to have the ability to wire $1 million to Lithuania.

Certainly, your No. 1 defense has to be in places where you actually have money sitting. Let's face it, how many accounts were hacked at J.P. Morgan? Something like 8 million accounts or something? But they didn't take anything. Obviously those are ugly, but they are not nearly as ugly as when a whole pile of money disappears.

We've had about one a year for the last two or three years, and before that we never had any, but fortunately, none have been over $30,000. You may even call the client and the client says, ‘Yeah,’ or they thought you are talking about the IRA distribution they were asking for and this is a different account. I don't think too many broker-dealers have gone as far along [as American Portfolios]. Most advisors get pretty prickly when you want to call up their $20 million client because he wants a $4,000 wire. I think that is an extreme, but you've taken it further. You're either a forward thinker, or somebody that your reps are going to go crazy over.

Dolber: We had some reps go crazy about it, but you know something? We had one advisor who was screaming bloody murder and saying, ‘Wire that money, wire that money!’ I said, ‘No, I can’t get your client.’ They actually threatened to leave. It turned out it was a fraud, and they were very thankful we didn't wire the money.

Schwartz: Let's face it, breaking into banks and robbing trains isn’t really that fashionable these days. Cybersecurity, worst comes to worst, you get caught and then you make $1 million each year going around the circuit speaking about cybersecurity.

Cybersecurity Insurance ‘Evolving Area’

Green: What kind of liability insurance do you have?

Dolber: I just took out a $30,000 policy, cybersecurity insurance policy, because you do have expense. You have liability of expense. Some states have rules about having to inform clients of a breach.

DeVito: We might have expenses to set them up with a credit check, [or] you have to put a LifeLock on them. We all have insurance for it.

Schwartz: We have it, too.

Green: I'm sorry, that protects the broker-dealer? Does that protect the rep?

Schwartz: It does not protect against fraud by the rep or by some third-party. If $30,000 gets wired out of an account at National or Pershing incorrectly, we are going to be writing that check. Pershing and National certainly aren't going to write it, unless you can prove clearly they are at fault.

Now understand, cybersecurity is a relatively new thing. Insurance policies available are probably nowhere near as sophisticated or all-encompassing as they will be in three or five years. [We] are constantly assessing the new policies because it's not like E&O insurance, which is going on around 30, 40 years and everybody has figured out all the ways you can lose money.

The pricing of it is a little uncertain because there's not enough history for the insurance company to figure out what their expenses are going to be.

Stringer: There may be exclusions they need to sharpen up.

Schwartz: Yes, and we don't even know. We haven't had enough of them to know, ‘We can get burned these 137 new ways.’ This is an evolving area of law and of protection and of insurance, which obviously you need to continue to monitor and try to protect yourself from.

Many advisors think that because they are good people, clients will never complain, they'll never get these different things happening. Obviously, you try to educate them as to the risks, so that they are your eyes and ears, versus being oblivious to it. Let's face it, they're busy doing what they are doing. I wouldn't be thinking about cybersecurity if we hadn't had it happen. You can't expect the advisor to. That's what they're paying us for, [so] that on these kind of issues, we're ahead of the curve, educating them, making them our partners in it.

Client (Dis)Service

Dolber: There's a service element when you create a client portal, but one suggestion would be, why not just give the client the choice of two-factor? If you don't want to do it because it's a management issue and it's a resource issue, at least offer the client the choice of having two levels of authentication.

Even if you don't have a portal, you can offer them the choice of two levels of authentication into Albridge or into Pershing or into TD, as an example.

Schwartz: For years, the whole thing about investor portals was to build them so they were single sign-on. That was the goal: ‘Okay, you sign into Cambridge, boom, you're in.’ Then you go out of National and you come into Albridge, and there's a new sign-in.

Dolber: We wouldn't do that. We would use sign-in 2.0 across the board. What happens is the client would log into a portal and all of the authentication would be done there, and then they would [have a] single sign-on to any of the services they would use.

I would authenticate them through a client portal so I wouldn't have to do two-factor at the individual places because I've already done it at the front end. But you might ask them if they want to turn on two levels of authentication on that way.

Schwartz: It's an interesting idea. My gut would tell me that 98% of the rep clients would choose not to do that because they've never had [a cyberattack] happen, and they don't know any friends who have had it happen, and [two-factor authentication] is a pain to go through.

Dolber: It is.

Schwartz: You get spoiled. I have sites I go to regularly, some of which are, ‘Remember my sign-in.’ Other ones, they ask me who my mother was, and if I ever go in with my iPad instead of my regular computer, there are three more questions.

Dolber: For God's sake, in my own conference room, if my temp file gets blown out for any reason, I will go log in and it will be asking me for the code. I have to go get my iPhone because it's being texted to me, and I have to put that in. It's an inconvenience.

Schwartz: It's the extinction level events that worry me. What's going to put you out of business? That's your first extinction level event. Even if it's only a one out of 10,000 chance, you can't do those.

Dolber: At the Pershing conference, they had an FBI agent there talking about it. First of all, the wholesalers got hit, and the department stores got hit. Then the banks got hit. Do you know who's going to get hit? If these guys start looking at the independent broker-dealer model, they start looking at us and how we work, you are going to start seeing more cybersecurity attacks. It's just going to be a matter of time.

Schwartz: Yes. They go where the biggest dollars are, where the most well-known companies are.

Green: Where the vulnerabilities are.

Schwartz: If we're having 10 of these attacks a day, or a week, people will be going to triple sign-ons or whatever else very quickly.

Dolber: But I can give you an economic reason that offsets the cost. If you have a client portal, we can do certain things that we don't do now. I can ask the client to opt out of receiving certain things like the privacy statement. If I do a client portal where I have a handshake with the client, I can ask them to opt out of paper.

So our thinking didn't start with a portal for cybersecurity. It started because I wanted a way to opt out of the ADV mailing, to opt out of the privacy statement, to opt out of the three-year mailing, to opt out of the welcome letter. But if I do a handshake with the client, which is required, I can then deliver things to them electronically.

I asked my brokers, ‘Do you mind if I do that? Is that getting between you and your customer?’ They said ‘No.’ If all you are doing is asking them to opt out of receiving a copy of the privacy statement, or receiving the three-year letter when there is no activity, or getting the welcome letter that was sent, they don't mind that.

Think about it. You know what you spend on paper? We're spending over a quarter of a million dollars a year sending out the welcome letters, the privacy statement and the three-year, and the suitability and address change letters. We're constantly sending letters to clients.

DeVito: We do both. Some are emails, some are letters.

Schwartz: We're still doing mailing, but we basically have concluded that we need to do a mailing once a year anyway, so we basically just pile everything into one.

Stringer: That's how we do it.

Schwartz:  We do have a program to get people to opt out of some of this stuff, but it is a constant effort. Even if you have the handshake, most of them ignore it and go right on to the next thing.

It seems almost a crime against nature at this point that we should be printing as much paper in this society that we are now in. Computers can print papers much faster than humans, so we actually use more paper than we did before we had that functionality.

It's unfortunate that regulators make it so hard to get some of the stuff electronically, especially since many of the clients would prefer it. But it takes a lot of effort to get them all to sign up for it. The clearing firm started trying to encourage us to do more of these years ago because they started charging you for paper stuff that they didn't charge for before.

Page 1 of 5
Single page view Reprints Discuss this story
We welcome your thoughts. Please allow time for your contribution to be approved and posted. Thank you.

Related

BDs Increasing Protection Against Cyber Breaches, Survey Finds

'Some firms have been the subject of benign incidents but haven’t realized it yet,' says Sutherland's Rubin.

Most Recent Videos

Video Library ››