As more financial and data information is more available goes online, the threat of cybercrime rises.
For the best security, experts states that investors use different passwords for many accounts and change them on a regular basis.
By Holman Skinner Dec. 5, 2015
Americans are increasingly more comfortable in storing their information on cloud services and sharing their financial data. It’s clearly convenient: Data can be easily sent to a financial services firm and viewed from many devices, wherever a client or advisor happens to be.
Despite growing comfort levels, electronic data continues to be compromised. In early October, brokerage Scottrade said criminals gained access to a database containing information about 4.6 million clients. The breach occurred from late 2013 through early 2014.
According to a report by the NNT Innovation Institute, the financial sector is targeted more than any other, accounting for 18 percent of detected attacks.
And the consulting firm PricewaterhouseCoopers points out that cybercrime is bigger than a technology problem. “It is a strategy problem, a human problem and a process problem,” the firm wrote in a 2014 report. “After all, organizations are not being attacked by computers, but by people attempting to exploit human frailty as much as technical vulnerability.”
That human element applies not only to employees at financial firms, but also clients, says Sam Attias, managing director of financial services at cloud-computing specialist External IT in Iselin, New Jersey.
“Many investors feel like the onus is on their advisor, or really any company they do business with, to keep their information safe. This is wrong; keeping data secure is a collaborative effort, and investors needs to be vigilant themselves. Otherwise, they’ll provide access to sensitive information to a hacker and, at that point, the criminal is able to access the investor’s information legitimately. This can be the issue more often than an advisor making a mistake,” Attias says.
Protecting financial data often means using precautions that most people are aware of but many ignore.
For example, Attias recommends that investors avoid using similar passwords for many accounts, avoid sharing passwords and change their passwords regularly. In addition, investors should also keep their paper documents secure by shredding anything containing a Social Security or account number.
“In terms of investor data, the good news is that investment advisors are required to maintain a comprehensive security program to safeguard client data. An investment advisor’s security program typically identifies and mitigates security risks through a combination of controls and technologies,” says Eric Clarke, CEO of Orion Advisor Services in Omaha, Nebraska.
Beware of malware. Clarke suggests that investors talk with their advisors about some easy steps to protect against malicious software, or malware. For example, email should ideally be routed through a secure gateway, and advisory firm employees should have anti-malware software installed on their computers.
Clients and advisors must be aware of dangerous emails from financial companies. It’s a tricky issue because the emails often appear legitimate.
“A large source of malware is from incoming email with infected attachments or with links to phishing sites,” Clarke states. “A phishing email will often look as if from a trusted source such as banks or other financial institutions. The phishing email attempts to convince the user to click the link and log into the website. It is actually a spoofed version, or look-alike, website for the purpose of stealing the user’s ID and password as it is entered. The stolen credential can then be used to maliciously gain access to the legitimate website to steal personal data.”
Although clients and advisors must share the burden of cyber-protection, Attias says advisors must take some specific precautions.
“An advisor needs to be as vigilant as an investor and in the same ways. However, there’s an added layer of complexity, amplified by the number of advisors, locations and clients they have, all while maintaining regulatory compliance. Advisors are also working with a number of other players in the financial ecosystem to benefit the client, including custodians, banks, portfolio managers, applications providers – and they’re sharing confidential information between the parties,” he says.
Attias recommends that advisories have a security policy that informs how employees handle confidential investor data not only at their offices, but also at remote locations, including home computers, laptops and tablets. That includes having procedures in place for determining who can access certain levels of data, and training employees on best security practices.
While advisors are knowledgeable about financial planning and investments, they are not information technology professionals. That makes it even more imperative for investors to ask their advisors to have open discussions about data protection, Attias says.
“Almost all advisors are trustworthy people, but they’re not in the business of IT and security,” he says. “Questions that investors should be asking their advisors include: Where is your IT infrastructure located? Do you have a business continuity plan? How do you protect against viruses and malware? Who has access to my information and how do they access it? Do you have liability insurance?”
Online portals gain in popularity. An increasingly popular technology is the online portal, which allows consumers to upload data, including bank and brokerage statements, and to track spending and budgets. Sometimes advisors include these portals in their service; other times the portal developers offer access directly to consumers.
Clarke says these aggregation sites are becoming important tools for investment advisors and clients. However, these portals are not subject to government oversight from state or federal authorities. In that sense, they differ from investment advisors themselves, which are regulated by entities such as the Securities and Exchange Commission or state securities licensing divisions.
“Overall, these portals have good security measures, and in many cases do a better job safeguarding data than many individuals and organizations do themselves. With that said, these services are not governed by the SEC. Clients should be sure to check their bank’s fraud protection provisions regarding sharing banking credentials with such portals,” he says.
Attias says there is always a risk of a breach with these portals, but the application providers must maintain strict security policies for the benefit of their users. “Users should also review the security policy and ask questions of the vendor if they are concerned. In most cases, the vendor will post security information online,” Attias says.
- Cybercrime Prevention Tips from Norton
- 7 Ways to Protect Your Small Business from Fraud and Cybercrime
- How To Prevent Cyber Crime
- ID Theft & Fraud