Scenario 2: One of your vendors discloses they’ve suffered a data breach, potentially exposing your clients to losses. How do you respond with your vendors, reps and clients? Does your business continuity plan include cybersecurity steps — or insurance?
Lon Dolber, American Portfolios, Division III: [It’s] just like business continuity [planning]. You have to be able to do fire drills. If you don’t have a playbook and you don’t do fire drills you’re not going to know what to do. You’re going to be running around like a chicken with its head cut off.
Eric Schwartz, Cambridge Investment Research, Division IV: You’re pretty much required to do all that stuff by regulators now. It’s not like you have an option about, ‘Well, maybe we won’t have an emergency plan.’
We actually have two different sites outside of our own site. You’ve got to see it actually works. We had our first experience in that way when a backhoe backhoed through a fiber optic cable about a hundred miles from our building about eight years ago.
So we realized, ‘Oh, gee, it really does happen,’ But absolutely, I think that clearly cybersecurity is a critical issue for every company in the United States these days, and you have to take it seriously.
The bigger issue is a direct hack to your own site versus if it goes to a National or Pershing, say, which many of us clear through. Obviously that’s going to be a big issue, but that’s going to be theirs to fix. We’re not going to be able to do much other than have a plan.
The playbook is really critical. Sitting around and try to figure out what you’re going to do for three days isn’t really a very good plan.
Dolber: I think the bigger risk is with the customers. If you think about it just mathematically, I have 110 employees, 800 advisors —I have 400,000 customers. I have very little control over their systems, but they’re getting compromised and their credentials are getting compromised.
I focus heavily on that — looking at my systems and understanding that an advisor’s going to get an email or a call from somebody that won’t be the person they think they are. How do I handle that?
How we train our advisors is [we send] phishing emails out to our advisors. We fabricate emails like this: ‘Your name was given to me by a close friend. He says you’re a great advisor. I don’t know if I’m good for you, but I’d like you to take a look at some of my things,’ and there’s an attachment. How many advisors are going to open up that attachment?
When they open that attachment it goes, ‘Got you. By the way, you shouldn’t have done this.’ It takes them to a training center to explain why you don’t open attachments from somebody you don’t know.
I can’t wholly leave it up to the advisors. That’s why we’ve made some changes in the way we do things. The first thing we did, years ago, on third-party wires no matter what the amount is we have to call the customer to confirm. Brokers scream to me about that, scream bloody murder about me calling their customer. I don’t care. I’m calling the customer and I’m asking them security questions.
Let me ask everybody here, how many of you have turned on two-factor [authentication] for your log in for your advisors? Or a better question, how many of you turned on two-factor for the customer logging into NetX360 client or logging into Albridge?
Industry-wide, most of us may have two-factor or second-level authentication for a broker logging into our portal, but have you turned that on for the client? Very few firms have.
Jamie Green, Investment Advisor: Sorry, two-factor is after you put your password in you say you’re not a robot?
Dolber: It could be a couple of things. First, what we did is if we don’t recognize the IP address or the computer, we are balking and saying, ‘We don’t recognize this computer. We’re going to send you a code that you have to insert.’ […] That’s a second-level authentication. There are other levels.
We have 20,000 customers logged into Albridge. Have you turned on second level authentication for those customers?
Ralph DeVito, The Investment Center, Division II: I don’t believe we have.
Dolber: Very few firms have. What about Pershing’s NetX client? How many have turned on two-factor for that? Or a better question, how many broker-dealers have a client portal? I’m not talking about a place where the client goes and they can log in here and log in there. I’m talking where the client is just like a broker. They log in and they get authenticated by the broker-dealer and then you’re passing them to the services they use.
I’m going to authenticate the client at the portal level. I’ll pass them to these systems that they use. I’m not going to have them going directly to Pershing, going directly to Albridge. They’re going to come through me the way a broker comes through me.
DeVito: I agree, we all have disaster plans. I have the off-site [location]. I have desks available. We cloud everything as best we can, just to make it more accessible. Our phone systems now are cloud. My cell phone can now turn into my desk phone.
But I don’t know that we answered your question. Was your question, ‘If we get hacked, if one of our vendors were to get hacked and all of our 100,000 or more names are out there’ — that was your question, correct?
Danielle Andrus, Investment Center: Yes. What do you do?
DeVito: I think it comes back to relationship again. We’re going to work with the vendor. If it’s a third party, we’re going to find out exactly which steps they’re going to do. We’re going to convey that to the reps to make them feel [comfortable], whether it’s an email or conference call or individually in our cases. Maybe to larger firms it might be a little bit difficult to call 2,000 people.
I might actually call the majority with the staff to talk to them. Again, it’s all relationships. If I had clients who were really nervous about it, we would even talk to them directly if we had to.
Dolber: You could ask for their SANS 20, a list of their SANS 20 and what they’ve done in each one of those 20 items. That’s simple. If you look at FINRA, they did a release on cybersecurity, a 46-page memo. They gave suggestions like, ‘On your board of directors there should be a cybersecurity discussion on every meeting. You should vet your vendors.’ You don’t have to do a big exhaustive study, but ask them some basic questions about their security level.
David Stringer, Prospera Financial, Division I: Based off of that document from FINRA, I think everybody’s got cybersecurity [questions] that they ask of their vendors and anybody who’s got your clients’ and staff’s personal identity information, their PII.
I think, Lon, what you said, though, is pretty accurate. The real penetration from cybersecurity is when one of your client’s email gets hacked and the guy out in Lithuania is pretending to be your client asking for you to transfer some funds.
Dolber: Ten times this year already.
Stringer: We’ve already had several of those.
DeVito: It seems to happen on a regular basis. I don’t know that we can control that. We could try to educate our reps. That’s what we’re doing. We’re trying to educate the reps on those areas, but on the cyber side I think we have to be more concerned about our procedures, our internal ones, too. These big firms are getting hacked, a lot of times, by a disgruntled employee. We fish inside our own firm, too, because you have to.
Dolber: I think that’s smart. Do you allow an electronic signature?
Dolber: So for instance, how are you authenticating the client? Are you doing it by a code, or are you doing it by LexisNexis?
DeVito: I think it’s LexisNexis.
Dolber: I may be wrong, but I decided I was going to do it by the code and I’ll tell you why. The challenge question takes it out of the rep’s hand because it’s done by LexisNexis.
I want the rep to have to give a code to the customer. Now, customers balked at that. Reps might balk at that. ‘You mean every time I send an encrypted envelope with an electronic document, I have to call the client and give them a code?’
Yeah, that’s what I want you to do. I want you to call the client and give them that code because I want you to confirm with the client that they are the ones who asked for that, for whatever it is you are sending them.
DeVito: It has to get personal for them.
Dolber: Personal to the reps.
DeVito: For the reps, yeah. We’re sending out the cases where we get hacked. I had a rep, he’s in the airport, ready to go on vacation, he gets one of those emails that says, ‘Hi, it’s John Smith. Can you send me $8,422? I need it, and I can’t get it.’He comes up with some benign number that’s not too large, not too odd. He tries to call the client, can’t get a hold of them to do good customer service. The way this happened would have never happened internally, but it was a direct account, maybe a mutual fund. He said, ‘Here’s the wire, here’s the funds,’ and it went out.
So we take that case and we send it [out]. We teach the reps, this is why you need to do the code. This is why you have to double check.