Cybersecurity is a concern for “the entire planet,” according to Eric Schwartz of Cambridge Investment Research. He and the other winners of the 2016 Broker-Dealers of the Year discussed the myriad cybersecurity challenges their firms are facing.
Danielle Andrus, Investment Advisor: Where does cybersecurity fit in that when you have all these disparate sources of information you’re trying to integrate?
Eric Schwartz, Cambridge Investment Research, Division IV: It’s clearly a bigger and bigger concern for the entire planet in everything. I don’t know that our industry’s that much different. You’re going to get attacked. Fortunately, we don’t get attacked as much as JPMorgan does because we’re not as well known.
It’s an ongoing effort, and a bigger percentage of the budget on an ongoing basis. We have, in the history of the company, had two or three cases of $20,000 or $30,000 being pulled out of accounts.
The first one happened over 10 years ago. [Attacks have] been small, and there’s been two or three of them.
That doesn’t make us think something worse isn’t going to happen soon. Fortunately, most of our assets, they’re not sitting in our broom closet. It’s over in National [Financial], or Pershing has a lot of it, or Schwab or American Funds. They have their own guards up, too.
Ralph DeVito, The Investment Center, Division II: We haven’t had anybody getting any money stolen yet. We have had a number of reps hacked. Luckily, it was no crazy data breaches, per se. We’re spending a ton of money internally on our systems or backup systems, firewalls, both in house and disaster recovery.
You have to monitor who you’re using for cloud-based stuff, too, making sure they’re prepared. In the event that they get hacked when it’s your data, whose issue is it? We’re constantly training and sending out alerts, suggesting, almost demanding, what a rep should have in his office to secure his systems as well. We’re encrypting everything that comes and goes internally.
When you look at the cybersecurity map, all the hacks that are going on at any given time, it looks like air control. There are that many thousands of hacks going on simultaneously worldwide.
Lon Dolber, American Portfolios, Division III: We create fictitious emails, and we send them to the advisors. If they open those emails, they’re sent to an [electronic] training center.
The other thing we’re looking at right now is when advisors log on to our website we want to potentially install an agent on their computers that will look at what virus protection they have in their systems, what their operating system is, how much they’ve updated it.
When we do the audits we ask those questions, but how often do you do an audit? Once a year? In some cases you don’t have to do it for two years. It’s not enough.
We’re going to tell the advisor that when they log on, we’re going to be looking, put an agent on their computer. It doesn’t do anything other than report back what the status is, and we’ll tell them what the status is.
That, combined with the two-factor [authentication] that every advisor that logs in has to have, that’s what I want for the clients, too. I would venture to say that most firms, when their client logs into Albridge or Pershing, are not being given a second level of authentication. In some cases it’s not even offered.
That’s a problem [because] it’s the clients that are getting hacked. It’s not so much the reps. We have [over 400,000] customers. I have 120 employees, 800 reps. Where’s the risk? The risk is with the customers that I have no governance over.
Schwartz: And the frustration when the person can’t get in and calls you. Now you have 10% of those people calling you once a year. You’re getting 400,000 phone calls a year or whatever.
Dolber: That’s going to be the challenge, of course. That’s why two-factor is not turned on for most institutions. How many broker dealers have turned on two factor for that? They know what’s going to happen: The client gets locked out. They’re going to be calling the broker-dealer.
Schwartz: Like anything else, you have to look at the risk and reward. How much is it happening and what is it costing you? Obviously, if you get a major breach, unfortunately you’ll say, “Can I go backwards in time and increase?”
Just yesterday a number of people in our company were getting emails from me that I didn’t send. They’re like, “Gee, I want to have the company wire some money to me.” Basically [cyberattackers] somehow figure out that I’m the big cheese, and so they send an email to people saying, “Hey, I just want to connect with you. I want money wired into my account.”