A shadowy figure in front of a computer screen (Image: Shutterstock) (Photo: Shutterstock)

Andrea McGrew has been a compliance officer for 14 years at USA Financial, so she’s seen plenty of missteps in her time. But when it comes to cybersecurity, she admits she’s “never been so afraid” for her advisor clients.

“We’re seeing increases in phishing, hacking, all types of nefarious attacks” on her firm and its independent contractor advisors. “It’s a terrifying world to live in,” says the firm’s chief legal and compliance officer, especially for small business owners like independent advisors. And even if you’ve been immune by chance or design from successful hacks, McGrew points out “you’re only as good until the next criminal mind comes along.”

The environment is particularly frightening for USA Financial’s end clients, who tend to be retirees or near-retirees, she says, since they will have less time to recover from a hack that costs them real money.

To help protect its advisors, USA Financial “started at home” by hiring an outside cybersecurity firm (CBI, or Cyber Security Solutions, based near the broker-dealer’s Michigan headquarters) to conduct penetration, phishing and social engineering tests of its own computer systems “to make sure we were safe.” It took that first step so the broker-dealer/RIA firm could get a strong understanding of the protection tools and processes available, “pulling back the curtain so our advisors could understand what to do as well” to protect their firms’ and clients’ data.

Throughout the year USA Financial invites its advisors to multiple business-building conferences, and in the last two such meetings a cybersecurity element was included. “We passed along to them what we learned,” and while following its recommendations would improve advisors’ systems, McGrew says “we also told them we would highly recommend that they seek out companies” similar to CDI to do the same testing.


Related on ThinkAdvisor:


McGrew admits that hiring such firms is “not an inexpensive proposition” and that while hiring these companies “isn’t cheap, neither is a breach.”

So what’s the top cyber risks to advisors, even smaller ones? McGrew says the biggest threat is “email, still.” The most common cyberattacks are phishing and social engineering (when hackers manipulate users into making security mistakes or giving away sensitive information). She says the research shows that email is used to deliver those attacks “96% of the time.”

USA Financial urges its advisors “to be very careful about the information they send” via email, McGrew says. “If you’re sending personal information about clients, or distribution forms, you’ve got to recognize that if they [hackers] can get your credentials and get your email, they can print out a distribution request and send it to you. Your client could be out of a lot of money in a short period of time.”

When USA Financial itself gets a client distribution request, “we always call the client,” she says, to ensure it’s legitimate. Advisors should be cautious about clicking on links or responding to emails, looking for common red flags. “Look at the domain name—if its 800 characters long, it’s probably not legitimate; if the email address doesn’t sound right, if the wording is odd” don’t respond unless you first confirm its authenticity.

Be particularly skeptical, she says, when the so-called client’s request includes a sense of urgency—“I need this $100,000 by tomorrow!” or when the client requests a change of bank to which to send that $100,000.

As an advisor,  if you get a written request from a client that they need a distribution or a wire transfer, call them and verify that the client actually made the request, she recommends.

While making that call may be time consuming, McGrew says there’s actually a hidden business benefit in doing so. Present the call, she suggests, as a “a value add to the client” which demonstrates that the advisor is looking out for the client’s best interests by confirming the request’s legitimacy. “The role of an advisor is shifting to being a family CFO,” she says, so this confirmation call is “ part of what I do” to protect the client.

How Can Advisors Further Protect Themselves?

  1. Beyond instituting the basic cyber protection technology like strong firewalls, McGrew suggests advisors follow USA Financial’s internal common-sense physical protection, such as not displaying passwords on a sticky note on your monitor. “Our tech team looks around the office,” she reports, “to make sure you can’t see passwords” being entered into a device from outside the office or cubicle.
  2. Speaking of passwords, McGrew says “we tell our advisors not to use a traditional password” but rather a passphrase, something like “’rocks roll down the hill’,” and to refrain from using the same password for all the sites or apps the use. Consider also using password management software like Keeper.
  3. “There are so many little ways you can protect yourself,” she says, including being careful about accessing information on a portable device. “Lock it out every minute,” she suggests, and “enable a kill switch on your phone; kill it if you lose the phone, and wipe it.”
  4. McGrew encourages advisors to explore cybersecurity insurance, noting that such coverage may well not be covered by your standard E&O insurance policy, which normally covers errors and omissions, “not fraud.”

While expensive, cyber insurance can help protect an advisor should a client lose thousands or even hundreds of thousands of dollars because of an attack. “If your client loses $250,000 because of a phishing link, you’re going to have conversations with the client about how to recover that money.”

If you’re an advisor who downplays cyber risk or thinks having cyber insurance coverage is sufficient protection, there’s one other potential problem advisors face if they’re successfully attacked. “The internet really is a dark web,” McGrew warns. “If your name gets out there as an advisor with vulnerabilities,” other hackers “will attack you like a lion going after the weakest prey.”

Related on ThinkAdvisor: