As cyber attacks on banks garner attention in financial services, it might be a brokerage account that is most at risk. The vast majority of broker-dealers and investment advisers have been the target of cyber-attacks, but most don’t offer any guarantee to make the clients whole if their account is drained.
For brokerage firms, understanding where they are exposed is part of the solution, with a recently developed Cyber Defense Scoresheet the latest tool to assist.
Fully 88% of broker-dealers and 74% of investment advisers have experienced a cyber-attack, according to a 2015 Securities and Exchange Commission survey.
“Nearly half of an advisor’s clients have already had their personal information compromised in some way,” said Louis Harvey, DALBAR’s CEO. “It’s a matter of time before cyber villains start to use this information to steal assets in a big way.”
With high profile financial firms such as Equifax recently being in the news for cyber hacking incidents, the issue is also one that could mainly touch the asset management business, mainly when an account is hacked and assets are illegally transferred.
Brendan Yeager, a director at DALBAR, notes that most financial advisors don’t think about cybersecurity until it impacts them or their customers. “Most cybersecurity efforts are remaining static,” he said of efforts to address the problem, “while the cyber-criminal is constantly changing their approach,” looking for new ways to penetrate a brokerage firm, mutual fund or other financial firms to transfer assets illegally.
When a brokerage firm is hacked, and funds are illegally transferred, there is often no insurance covering such an incident and the investors is mostly unprotected. In 2015, however, all five of the top brokerage firms surveyed reimbursed investors whose money was lost to cybercrime due to no fault of their own. Likewise, Yeager says that in instances he is aware of, the brokerage firm has made the client whole when they have taken steps to protect their account.
“Cyber fraud is moving to an industrial level,” he said, pointing to a business model where attackers can look to rob someone while working on the other side of the world. There is no one single best defense, but rather a combination of efforts that can help advisers protect their client assets. Asking clients for their personal information, such as a Social Security number to identify themselves, is no longer enough as this information can be relatively quickly found on the dark web.
To help asset management firms assess their cyber defenses, DALBAR has released a “Cyber Defense Scoresheet” that provides an individual assessment of a brokerage firms cybersecurity efforts. The Excel spreadsheet asks questions about the firm’s security efforts, such as if they require biometrics to access account information or have a procedure in place for multiple login attempts. A grade is given to the brokerage executive right from the form based on the answers.
“Highly active omnibus accounts with large balances can be singled out” by the hackers, he said. “Millions of dollars could be siphoned from these accounts without alarm. On the other hand, large numbers of inactive low-interest accounts that are orphaned or abandoned may be easy targets for cyber villains.”
Yeager notes that ideally there are different levels of security depending on what information is being accessed and if the security level involves the withdrawal of funds. When a customer can withdraw funds online, that level of security needs to be the most secure, with multiple checkpoints and a stringent process required if account information such as email address or a phone number is changed.
