At the 2017 Broker-Dealers of the Year roundtable in Chicago, the discussion turned to cybersecurity and what firms can do to protect themselves when their biggest risk is something they can’t control: clients.
Lon Dolber, American Portfolios Financial Services: One thing in our industry, which is curious from a cybersecurity [standpoint] — if you look at most independent brokerdealers, they’ll allow the brokers to put links on their sites where a client can log in to Pershing, they can log into National Financial, they can log into TD, but in almost every case there is no second level of authentication.
I’ve said it before, the [cyber] risk is not really with the advisors, and it’s not with their employees. We have 125 employees. I have 700 advisors, but I have 480,000 investors. The risk, just mathematically, is with the investing public that I have no control over.
Amy Webber, Cambridge Investment Research: Right.
Dolber: It’s going to be a service issue, though, because I see what happened when we turned on twofactor for the advisors — they got locked out.
Webber: Couldn’t figure it out.
Dolber: They can’t figure it out.
Webber: We’ve warned our advisors as we talk about these things [that they] may want to rethink that whole idea of having online help because [they’re] going to have to staff for that.
We can certainly attempt to [talk to clients], but for some of those questions, [advisors] don’t want them coming directly to us, and we don’t want to disintermediate them.
John Burmeister, Lion Street Financial: We’ve turned [two-factor authentication] on, so our advisors that do link out to [Pershing’s] NetXInvestor, then they have the dualfactor authentication.
Dolber: But not the clients. Not the end client. I don’t know of any brokerdealer that has turned on twofactor authentication for the end client. I’m talking about an investor of the advisor that decides to go to Pershing’s client side. I don’t know that they’ve turned on twofactor for that.
The clients are going in to that. They may rotate their passwords, but there’s not a second level of authentication like you have at the bank. To me, there’s a cyber issue. That’s something that I want to change because I want to have more centralized control of the security layer.
Webber: We have cyber insurance now for that because we’re responsible. We have it for the brokerdealer, and then recently we also went and negotiated so that advisors could get it. Sometimes what happens is our cyber insurance isn’t going to cover an advisor who happens to walk out of his office while there’s somebody sitting in there who gets a hold of some password or something, so we’ve got two layers of insurance now.
Dolber: Do you know how easy it is for a client to get impersonated? Even for the impersonator to open up an account? They can make themselves look so much like a client it is scary, but it comes down to the advisor having to call the client [to confirm requests].
Webber: The advisor has to call the client. We had an advisor who asked the client to call him. Guess who called him?
Burmeister: The fraudster.
Webber: The impersonator. You have to call the client at the number that’s in your records.
Burmeister: [Hackers are] getting more and more ingenious.I’ve seen them open accounts, transfer assets, set up ACHs and then take control of the assets. The one that’s most liable, yes, the advisor, should be talking to the client. The buck stops there, but the bank is the one that lets the fraudster open the account and take possession of the funds.
Webber: They don’t take responsibility for any of it, ever. It’s unfortunate.
Dolber: I don’t know what you’re doing with end-point monitoring. This is a dilemma for us. … We may do a VPN scenario instead, but the end-point monitoring would mean that when they logged into our site we would actually install an agent, with their permission, on their computer that would let us analyze daily what the status of their operating system is and their virus protection is.
Burmeister: We currently do that.
Webber: You said you’re doing [end-point monitoring] already. I suppose, at the end of the day, if we share enough horror stories about cyber and the risks and that they’re responsible for some level of that, then they may feel better about you …
Burmeister: They do. You have to clearly outline what you have access to and what you do not have access to, that you’re not monitoring their activities.
— Read Rock Solid: The 2017 Broker-Dealers of the Year on ThinkAdvisor.