Close Close
ThinkAdvisor

Industry Spotlight > Broker Dealers

Cybersecurity: A Checklist for Advisors

X
Your article was successfully shared with the contacts you provided.

Financial advisors know all too well that they need to protect their business from cyberattacks, but the problem may be bigger than many may imagine.

Greg Ruppert, vice president for financial crimes at Schwab, speaking at Schwab’s Impact 2015 conference in Boston, said he saw hundreds of overnight cyberattacks when he headed the FBI’s Cyber Division, before joining Schwab in 2014.

Cyber threats are “nonstop and touch our lives daily,” said Ruppert. “24/7, 365 days a year… The targets are your firm, you, your employees and vendors.”

Ruppert warned that not being online could be even more risky because you’re “not aware of what is out there about you.”

Indeed, on Tuesday, the U.S. attorney for the Southern District of New York revealed that the three men accused of last year’s big breach of JPMorgan’s database are also accused of hacking into the customer databases of other firms including TD Ameritrade, Fidelity and Dow Jones, and Atlanta prosecutors charged two of the men with attacking the databases of E-Trade Financial and Scottrade. And last weekend Comcast disclosed that 590,000 Comcast email addresses and passwords were stolen – only 200,000 were reportedly active users.

Howard Ward, chief investment officer of GAMCO Advisors, said in another presentation at the Schwab conference there were 43,000 cyberattacks in the U.S. last year and investing in cybersecurity will be “the next big thing.” 

Hackers are “no longer the 14-year-old in his mom’s basement; [but] now organized enterprises with billions of dollars at stake,” Ruppert said. They “can mine your data, figure out who you are, and go to places where you automatically infect yourself.“

One of the most popular attacks involves “spear phishing,” said Ruppert. That’s when hackers send emails that appear to be from an individual or business the recipient knows. Opening the email, however, gives the hackers access to personal financial information like Social Security and credit card numbers.

One of seven daily emails includes spear phishing, and about 30-35% contain some kind of malware, Ruppert said.  “It’s “the gift that keeps on giving.”

Clyde Langley, vice president of fraud prevention and investigations at Schwab, told the advisor audience that four out of 10 of their clients’ emails are being compromised at any one time, and many won’t even know it.

Hackers are  “watching the traffic and waiting for the opportune moment” to strike, said Langley, who spent more than 15 years at the FBI supervising and investigating cybercrimes and financial crimes.

Langley and Michelle Thetford,vice president of advisor services and client strategic solutions at Schwab, listed several warning signs of cyberattacks that advisors should be aware of, including:

  • Customer requests for money transfers, especially urgent requests that note that the customer will not be available for verification. Ninety percent of those communications are fraudulent, said Thetford.
  • Vendor notifications that their bank routing instructions have changed
  • Calls whose conversations start with asking about account balances

These requests and other need to be verified with a “second channel” like a phone call before any money is transferred, said Langley.  “Two-factor ID is a very effective first step,” said Ruppert. “It frustrates fraudsters and adds a level of security.” 

Before transferring any money, “ensure that you are talking to the client,” said Thetford, “maybe using a code word or video call. “ Advisors need to set up the proper controls, which can prevent up to 95% of external fraud a firm faces, said Thetford. This includes documenting firm’s fraud prevention policies and procedures, establishing controls that mitigate risk and outline accountability and establishing an escalation plan when a hack is suspected.

Then advisors needs to educate employees and clients about these procedures and policies, says Thetford.

She suggests that advisors train employees in a series of sessions, rather than just one, because that tends to be more effective, and let employees know there will be consequences if they don’t follow those procedures.

 “Your internal control system is only as effective as how much you hold people to account to follow it,” said Thetford.  She recommends “zero tolerance” when employees fail to follow those procedures.

She also recommends that advisors impress upon clients that they, too, need to do their own diligence, update antivirus software and be cautious about the information they share through social media and email.

“Brokerage account fraud is very different from credit card fraud,” said Thetford. There is no automatic reimbursement, she said. “Clients need to understand the difference.”

Once fraud is detected, advisors need to act as soon as possible, treating clients as high risk and notifying Schwab’s fraud service team, according to the panel. Schwab, in turn, will put internal controls on the account and contact the authorities, which are tracking such reports, looking for similarities.

“If you wait over a weekend odds are you won’t get money back,” said Thetford.  She recalled one case where Schwab wasn’t contacted until the Monday that followed a weekend fraud. “It took three years to recover the money,” she said.

–Related on ThinkAdvisor