The most significant finding of the research is “generally how passive people are about the subject,” says Lou Harvey, president and CEO of Dalbar, a Boston-based independent financial-services market research firm.
“The more we’ve examined, the bigger the shock it is as [cybercrime] keeps growing. Look at the number of incidents,” he explained in an interview. “Think about the last day you didn’t see a news item about cybertheft. I imagined everyone would be up in arms with [cybersecurity], but they were not, and that certainly caught my attention.”
The survey of broker-dealers, sponsored by ThinkAdvisor, Dalbar and 15 financial-service firms, aimed to identify the greatest deficiencies in cybersecurity authentication and to “create a roadmap to improving protection,” Harvey says.
The research revealed that 74% of firms have the same practices they’ve had for the past five years, and only a “paltry” 4% are planning to adopt new practices, Harvey says, adding that he did not anticipate these results.
“No one wants to make a big ado about the threat,” he explained. “When something goes wrong or issues arise [it’s] outside of the financial-services [industry], so it doesn’t grab the attention it should.”
“Unless it happens to a firm or an advisor, it happens in the outside world. There’s a huge difference with someone who has come face-to-face with cybertheft, as opposed to a vast majority who have not,” Harvey explained. “Those who have had accounts opened or money withdrawn are passionate about the issue, but that has not translated to a general concern.”
Most firms have run across the phishing of their accounts, but nothing in a big way, like 10,000 accounts being affected. “Until someone like Julian Assange gets out of playing with the government and starts playing with money,” firms likely will not move to make changes, Harvey says.
More Key Findings
The most widely used authentication practices within the industry are procedures for failed logins (66.1%), while the termination of sessions after a period of inactivity is used by 60.4%, according to the study.
In addition, 57.3% of firms have the ability to cancel, replace and communicate about a password if an account has been compromised.
The best-fortified businesses are retirement service providers, which take advantage of 30.1% of authentication practices, followed by investment providers (29.7%) and life & annuity providers (28.7%).
Key points of access by bad actors include websites (at 34.3%), followed by mobile devices (28.7%), interactive voice response (22.9%), phone centers (21.6%) and electric statements (24.7%).
Phone centers that employ humans thwart thieves, since an account or other change must go through a real representative and not just a computer, which Harvey refers to as a “picket fence” defense. The “stone wall” defense is an aggregation of all defenses stacked together, he says, not just one or two.
Financial advisors should be very concerned about the cyber defense of their broker-dealers and other institutions that hold client assets, such as investment firms, insurance companies and record-keepers, Harvey points out.
“Advisors have a role in all of this. The advisor is going to be called to account if something in fact goes wrong. If a client turns assets over to an advisor, the advisor puts them somewhere, and they get [stolen], the client will blame the institution, but doesn’t the advisor have complicity for having it [at that broker-dealer or other firm] in the first place?” he asked.
His answer is “yes.” Advisors generally believe that client assets are safe thanks to the diversification of their investments, “but are you [diversifying the] institutions you use [for cyber defense]?” the Dalbar executive inquired.
According to a recent study by the American Institute of CPAs, eight in 10 Americans are concerned about the ability of businesses to safeguard their financial and personal information, and three in five say they or an immediate family member have been the victim of some scheme to defraud them, ranging from a letter or phone call from someone impersonating an IRS agent to someone opening a line of credit in their name.
In late March, New York Attorney General Eric T. Schneiderman released a report stating that there were 1,583 data breaches reported in New York State in 2017, exposing the personal data of 9.2 million New Yorkers — four times the number impacted in 2016.
To prevent the loss of investor assets, advisors need to question their BDs about to their cybersecurity practices. “It should be a part of every RFP,” the Dalbar chief explained.
Though many firms have been hacked for clients’ personal information, it will take a major financial loss to move the bar. “It seems to me that once we have an ugly scandal with money lost as opposed to personal information [being taken], this will get people’s attention,” said Harvey.
The key findings of the Dalbar/ThinkAdvisor survey on how firms use certain authentication practices are listed below; a mark (X) in the Usual Practices column means more than a-third of respondents use the practice and therefore it is considered usual.
|ID||Authentication Practice||Number Responding||% in Use||Usual Practice|
|1||Username/Password for identification||294||54.1%||X|
|2||Confirmation process for changing username/password/email||294||47.6%||X|
|3||PIN for authentication||294||19.7%|
|4||SSN for identification or authentication||238||30.7%|
|5||Two Factor Authentication – a process that involves both: Factor 1 – information that the user knows (like account number) and – Factor 2 – something that they have (such as a token) or a separate channel (such as email or text message)||282||25.5%|
|6||Multi-tiered authorization (i.e. Tier 1- Account info; Tier 2- Personal data/transactions)||228||33.8%||X|
|7||Personal security questions||282||41.8%||X|
|8||Separate on-file medium for authentication (phone/email/etc.)||282||36.2%||X|
|12||Other biometric (please specify)||226||0.0%|
|13||Patterns in login history to alert for possible risk||78||28.2%|
|14||Detection of change to flag possible risk (Device/IP address/etc.)||176||34.7%||X|
|15||Challenge-response test such as Captcha||226||9.7%|
|16||Changes in volume mix of activity||224||23.2%|
|17||Same IP address in activities in other accounts||120||20.0%|
|18||Terminate session after timed period of inactivity||224||59.4%||X|
|19||3rd party user management/authentication solutions||280||22.5%|
|20||3rd party fraud prevention solutions||280||30.7%|
|21||Procedure for undelivered email||280||38.6%||X|
|22||Procedure for undelivered standard mail||280||51.8%||X|
|23||Procedure when there are no logins for an extended time||224||19.6%|
|24||Procedure for multiple failed logins||224||63.8%||X|
|25||Temporary password for immediate access||224||41.1%||X|
|26||Ability to cancel, replace and communicate password if account is compromised||280||56.4%||X|
|27||Password expiration after a period of time or set number of uses||224||23.2%|
|28||Multiple source verification for transactions (i.e. advisor and client)||226||27.0%|
|29||Restrictions on transactions that could be used for fraudulent purposes (address/registration change, etc.)||226||53.1%||X|
|30||Limit access for high profile accounts||280||22.5%|