At the 2017 Broker-Dealers of the Year roundtable in Chicago, the discussion turned to cybersecurity and what firms can do to protect themselves when their biggest risk is something they can’t control: clients.
Lon Dolber, American Portfolios Financial Services: One thing in our industry, which is curious from a cybersecurity [standpoint] — if you look at most independent brokerdealers, they’ll allow the brokers to put links on their sites where a client can log in to Pershing, they can log into National Financial, they can log into TD, but in almost every case there is no second level of authentication.
I’ve said it before, the [cyber] risk is not really with the advisors, and it’s not with their employees. We have 125 employees. I have 700 advisors, but I have 480,000 investors. The risk, just mathematically, is with the investing public that I have no control over.
Amy Webber, Cambridge Investment Research: Right.
Dolber: It’s going to be a service issue, though, because I see what happened when we turned on twofactor for the advisors — they got locked out.
Webber: Couldn’t figure it out.
Dolber: They can’t figure it out.
Webber: We’ve warned our advisors as we talk about these things [that they] may want to rethink that whole idea of having online help because [they’re] going to have to staff for that.
We can certainly attempt to [talk to clients], but for some of those questions, [advisors] don’t want them coming directly to us, and we don’t want to disintermediate them.
John Burmeister, Lion Street Financial: We’ve turned [two-factor authentication] on, so our advisors that do link out to [Pershing’s] NetXInvestor, then they have the dualfactor authentication.
Dolber: But not the clients. Not the end client. I don’t know of any brokerdealer that has turned on twofactor authentication for the end client. I’m talking about an investor of the advisor that decides to go to Pershing’s client side. I don’t know that they’ve turned on twofactor for that.
The clients are going in to that. They may rotate their passwords, but there’s not a second level of authentication like you have at the bank. To me, there’s a cyber issue. That’s something that I want to change because I want to have more centralized control of the security layer.