Cybersecurity is a concern for “the entire planet,” according to Eric Schwartz of Cambridge Investment Research. He and the other winners of the 2016 Broker-Dealers of the Year discussed the myriad cybersecurity challenges their firms are facing.
Danielle Andrus, Investment Advisor: Where does cybersecurity fit in that when you have all these disparate sources of information you’re trying to integrate?
Eric Schwartz, Cambridge Investment Research, Division IV: It’s clearly a bigger and bigger concern for the entire planet in everything. I don’t know that our industry’s that much different. You’re going to get attacked. Fortunately, we don’t get attacked as much as JPMorgan does because we’re not as well known.
It’s an ongoing effort, and a bigger percentage of the budget on an ongoing basis. We have, in the history of the company, had two or three cases of $20,000 or $30,000 being pulled out of accounts.
The first one happened over 10 years ago. [Attacks have] been small, and there’s been two or three of them.
That doesn’t make us think something worse isn’t going to happen soon. Fortunately, most of our assets, they’re not sitting in our broom closet. It’s over in National [Financial], or Pershing has a lot of it, or Schwab or American Funds. They have their own guards up, too.
Ralph DeVito, The Investment Center, Division II: We haven’t had anybody getting any money stolen yet. We have had a number of reps hacked. Luckily, it was no crazy data breaches, per se. We’re spending a ton of money internally on our systems or backup systems, firewalls, both in house and disaster recovery.
You have to monitor who you’re using for cloud-based stuff, too, making sure they’re prepared. In the event that they get hacked when it’s your data, whose issue is it? We’re constantly training and sending out alerts, suggesting, almost demanding, what a rep should have in his office to secure his systems as well. We’re encrypting everything that comes and goes internally.
When you look at the cybersecurity map, all the hacks that are going on at any given time, it looks like air control. There are that many thousands of hacks going on simultaneously worldwide.
Lon Dolber, American Portfolios, Division III: We create fictitious emails, and we send them to the advisors. If they open those emails, they’re sent to an [electronic] training center.
The other thing we’re looking at right now is when advisors log on to our website we want to potentially install an agent on their computers that will look at what virus protection they have in their systems, what their operating system is, how much they’ve updated it.
When we do the audits we ask those questions, but how often do you do an audit? Once a year? In some cases you don’t have to do it for two years. It’s not enough.
We’re going to tell the advisor that when they log on, we’re going to be looking, put an agent on their computer. It doesn’t do anything other than report back what the status is, and we’ll tell them what the status is.
That, combined with the two-factor [authentication] that every advisor that logs in has to have, that’s what I want for the clients, too. I would venture to say that most firms, when their client logs into Albridge or Pershing, are not being given a second level of authentication. In some cases it’s not even offered.
That’s a problem [because] it’s the clients that are getting hacked. It’s not so much the reps. We have [over 400,000] customers. I have 120 employees, 800 reps. Where’s the risk? The risk is with the customers that I have no governance over.
Schwartz: And the frustration when the person can’t get in and calls you. Now you have 10% of those people calling you once a year. You’re getting 400,000 phone calls a year or whatever.
Dolber: That’s going to be the challenge, of course. That’s why two-factor is not turned on for most institutions. How many broker dealers have turned on two factor for that? They know what’s going to happen: The client gets locked out. They’re going to be calling the broker-dealer.
Schwartz: Like anything else, you have to look at the risk and reward. How much is it happening and what is it costing you? Obviously, if you get a major breach, unfortunately you’ll say, “Can I go backwards in time and increase?”
Just yesterday a number of people in our company were getting emails from me that I didn’t send. They’re like, “Gee, I want to have the company wire some money to me.” Basically [cyberattackers] somehow figure out that I’m the big cheese, and so they send an email to people saying, “Hey, I just want to connect with you. I want money wired into my account.”
DeVito: Your system was hacked. That’s the problem. You don’t realize it. Your internal system has been hacked. What they’ll do is now they’ve figured out that you talk to the accounting department and you do it in a certain manner, in your tone. They’re sending something from you to Sally or Joe in accounting. “Hey, send me 10,000 bucks.”
[Editor's Note: Cambridge pointed out in an email message that Schwartz’s email account was not "hacked," but rather that he was a victim of an attempted "spear phishing in which cybercriminals use public information to try to impersonate a company executive by, among other things, spoofing the executive’s email address.”]
Schwartz: If we’re 10 times your size, then whatever happens to us three times is only going to happen to you 0.3 times. Eventually you get that $20,000 check that goes out before somebody figures it out.
The ones that we’ve had, the client was hacked, so the client sent a request to the rep to send money to them. The rep was out on vacation, didn’t check specifically and call the client and see. They sent $20,000 out. It is about training the rep, but it’s also the client who is getting hacked.
DeVito: I was incorrect. We did have that happen, that exact scenario. We didn’t get a direct hack where somebody pulled from an account, though.
Schwartz: We haven’t had that ever. They’ve never went in and the money just disappeared.
Brian Murphy, Lion Street Financial, Division I: The real risk in the future is it’s just not a game of perfect. They’re going to have all these weasel ways because crooks are spending a hundred percent of their time trying to steal. The real risk to us is that the regulators are going to expect that it’s a game of perfect.
Dolber: That’s why we have cybersecurity insurance, because that gap that I can’t solve for I have to cover. I’ve decided on a dollar amount that I can absorb, and I’ve insured.
Schwartz: It’s not like you can insure for $30,000 million. It’s some part of our E&O, and it’s $250,000 or [something] relatively modest.
Dolber: That’s where the operational side comes in. Technology doesn’t do everything. For instance, on third-party wires we call the client, and the advisors accept that. On every third-party wire, we’re calling the client. That’s not a technology issue. That’s just a service level issue.
The advisors didn’t like it at first, but I explained, “Look, we’re there to protect you. Third-party wires, we’re calling the client.” Now you start looking at that’s one thing, but what about the stuff that gets done direct, insurance company direct, mutual fund direct?
Our industry is going to see more attacks because the guys that are doing it, all they have to do is really examine the independent contractor model and understand what it is, understand it’s not like a bank and it’s not like employees that work for a firm like Merrill Lynch.
These are independent contractors, and their systems may not be as secure. Their protocol may not be as tight because it’s a diverse system.
The things that we’ve seen are the client getting compromised and then the perpetrator represents [him or herself as] the client to the broker. If the broker doesn’t call the client and confirm, they may act on fictitious instructions. That’s the risk right there.
I’m sure you have SANS 20 [protocols] so you’re doing all your penetration testing and what have you. The odds that we’ll get hacked, system wise, I don’t see that as much a possibility as end client getting compromised.
— Click here for more coverage of the 2016 Broker-Dealers of the Year.