Cybersecurity and Data Protection
By Bob Veres
Not long ago, I reported something astonishing: A number of larger financial services firms and software companies were working hard on cybersecurity measures—and at the same time, they were resigned to the fact that ultimately, with increasingly sophisticated cybercriminals who have penetrated major corporate databases (Target, JP Morgan, Home Depot) and government systems (U.S. State Department, Department of Defense) our puny efforts are doomed to fail.
That is, some way or another, your clients’ data is likely to be hacked. It may be through the hotel they stayed at (Starwood), it may be a credit reporting agency (Experian), or somewhere they shopped—or via a determined cyberattack on your own offices.
What do you do?
I asked the Inside Information audience to weigh in on this gloomy insight, and discovered that many of you are thinking along the same lines. A number of responses offered what you always hear from custodians: you make sure to talk with a client on the phone whenever there is a wire transfer request, make sure your staff and clients are educated not to click on suspicious web links, and talk to everybody about maintaining hard-to-hack passwords. Also: review your credit card accounts every month looking for purchases you don’t recognize.
Finally, there’s no shortage of companies that offer cybersecurity protection, on an outsourced basis, for advisory firms—including True North Networks (https://www.truenorthnetworks.com/), Entreda (https://www.entreda.com/), Rightsize Solutions (http://www.rightsize-solutions.com/), and Itegria (https://www.itegria.com/).
That’s what pretty much everybody knows. In addition to that, here are some precautions that some advisors are taking:
1) Encourage clients to request multi-factor authorization on their banking, credit card and custodial accounts. Apparently just about all financial institutions have programs in place—but you have to ask for them. And there’s a hassle factor; every time you log into your bank or credit card account, even if it means just checking on whether a check cleared or looking for suspicious transactions, you have to have your phone handy and type in that little code the financial institution texts to you.
A bigger hassle factor is that multi-factor authorization basically means you cannot do automated account aggregation through Quovo, ByAllAccounts, Yodlee or others. Those systems use a client-supplied user name and password to access the client account data and pull it back into your performance reporting software. They can’t do that if they are required to read off a text message that is only sent to your client’s phone before they can access that data.
The loss of account aggregation and the hassle factor are BIG drawbacks. Is the extra safety worth it?
2) If you’re ready to concede that the client data is vulnerable pretty much no matter what you do, then your best option is to freeze the client’s credit through the credit monitoring services. Some advisors are doing this on behalf of clients; they send a certified letter to each of the three credit reporting agencies—Equifax, Experian and TransUnion, requesting a free credit freeze. All the letter has to say is: “I would like to request a security freeze on my credit report,” have it signed by the client, and at the bottom list the client’s first, middle and last name, and full mailing address. (You can also do this by phone while the client is in the office.)
Equifax: Equifax Security Freeze, P.O. Box 105788, Atlanta, GA 30348 – 800-685-1111
Experian: Experian Security Freeze, P.O. Box 9554, Allen, TX 75013 – 888‑397‑3742
TransUnion: P.O. Box 2000, Chester, PA 19016 – 888-909-8872
Note: the client will still get a free credit report each year.
Note: you will need to get a PIN number from the credit reporting agency, which is used if/when the client wants to temporarily unfreeze the account when applying for a loan or new credit card. (That’s why the letter needs to have the client’s address at the bottom.) These can be maintained at the advisor’s office (maybe in the CRM system?) for the convenience of the client.
3) Helen Pratt and Brooke Salvini, at Salvini Financial Planning in Avila Beach, CA point out that there are a lot more precautions a client can take, including freezing reports at Innovis, ChexSystems and the National Consumer Telecommunications & Utilities Exchange, and requesting a report every 12 months as a way of checking for errors. (Innovis provides information that helps companies detect and prevent fraud; ChexSystems reports information on checking account applications, while NCTUE collects telecom, pay-TV and utility connection requests and fraudulent accounts.).
Salvini Financial Planning has created a spreadsheet with a ton of helpful links, which they’ve graciously allowed me to share with the Inside Information audience (see attachment).
4) Your clients who are not yet receiving Social Security benefits are in danger of having somebody else file for them. Clients can be encouraged to sign up for a “My Social Security Account” online—and the goal is to sign up before a cyber thief does in their name. (Here’s the link: https://www.ssa.gov/myaccount/lp/landing-page-rome.html)
This also allows clients to get replacement social security cards or replacement SSA-1099 or SSA-1042-S for tax season if needed.
The bottom line here, I think, is that it may not be possible to protect clients from cyberattacks or cyberfraud, but it may actually be possible to protect them from the consequences of a data breach. I hope this message helps start a debate on how to go the extra mile to protect clients in an increasingly risky cyberworld.