At the 2017 Broker-Dealers of the Year roundtable in Chicago, the discussion turned to cybersecurity and what firms can do to protect themselves when their biggest risk is something they can’t control: clients.
Lon Dolber, American Portfolios Financial Services: One thing in our industry, which is curious from a cybersecurity [standpoint] — if you look at most independent brokerdealers, they’ll allow the brokers to put links on their sites where a client can log in to Pershing, they can log into National Financial, they can log into TD, but in almost every case there is no second level of authentication.
(Related: Overly Complex Passwords Are Unnecessary, New Guidelines Say)
I’ve said it before, the [cyber] risk is not really with the advisors, and it’s not with their employees. We have 125 employees. I have 700 advisors, but I have 480,000 investors. The risk, just mathematically, is with the investing public that I have no control over.
Amy Webber, Cambridge Investment Research: Right.
Dolber: It’s going to be a service issue, though, because I see what happened when we turned on twofactor for the advisors — they got locked out.
Webber: Couldn’t figure it out.
Dolber: They can’t figure it out.
Webber: We’ve warned our advisors as we talk about these things [that they] may want to rethink that whole idea of having online help because [they’re] going to have to staff for that.
We can certainly attempt to [talk to clients], but for some of those questions, [advisors] don’t want them coming directly to us, and we don’t want to disintermediate them.
John Burmeister, Lion Street Financial: We’ve turned [two-factor authentication] on, so our advisors that do link out to [Pershing’s] NetXInvestor, then they have the dualfactor authentication.
Dolber: But not the clients. Not the end client. I don’t know of any brokerdealer that has turned on twofactor authentication for the end client. I’m talking about an investor of the advisor that decides to go to Pershing’s client side. I don’t know that they’ve turned on twofactor for that.
The clients are going in to that. They may rotate their passwords, but there’s not a second level of authentication like you have at the bank. To me, there’s a cyber issue. That’s something that I want to change because I want to have more centralized control of the security layer.