[BreachExchange] Investors need to take these steps to avoid being a cybercrime victim

Audrey McNeil audrey at riskbasedsecurity.com
Wed Jul 13 20:55:09 EDT 2016


http://www.msn.com/en-us/money/topstories/investors-need-to-take-these-steps-to-avoid-being-a-cybercrime-victim/ar-BBuidb2

Anyone who has ever been the victim of identity theft or bank fraud knows
how bad the experience can be.

Even if money isn't immediately stolen from an account or purchases racked
up on a credit card, the possibility of that eventually happening is
something that can haunt people for years.

For investors, the experience can be particularly painful if personal data
and information about your investment accounts and assets get into the
wrong hands. Securities and Exchange Commission Chair Mary Jo White called
cybersecurity the biggest risk to the financial system, noting that stock
exchanges, dark pools and clearinghouses historically didn't have adequate
systems and policies in place to deal with the threat.

"This is not just cybercrime experts raising the alarm," said Brian
Edelman, CEO of technology advisor Financial Computer. "This is the head of
the SEC saying the system is at risk. These are real threats."

Cybercrime continues to skyrocket across all sectors of the economy as
technology and the internet become more integral to how businesses and
individuals operate. Along with very high-profile data breaches at huge
companies such as Home Depot, Target and JPMorgan Chase, hundreds of other
firms are dealing with thousands of attacks both from inside and outside
their organizations.

There have been 420 data breaches at U.S. companies and organizations
through May 24 of this year, exposing more than 12 million personal
records, according to the Identity Theft Resource Center, a nonprofit
organization tracking cybercrime. Ten of those breaches occurred at
financial service companies, including Charles Schwab, TD Bank and HSBC
Bank USA, with at least 4,800 records exposed. In seven of the 10
incidents, the extent of the exposure of information was unknown.

Financial advisors and their firms are as much a target as anyone.

"It used to be people only worried about wiring money to Nigeria," said
Bryan Baas, managing director of risk oversight and controls at TD
Ameritrade Institutional, which serves as custodian for more than 5,000
financial advisors. "Criminals change their tactics. So many events have
happened now that it's at the top of everyone's minds," he said.

That includes securities regulators. Both the SEC, which oversees
registered investment advisors and the Financial Industry Regulatory
Authority, which regulates broker-dealers, conducted "cybersecurity sweeps"
of advisors and broker-dealers in 2014. Their assessments of firm policies
and controls were issued in a report last September.

The Office of Compliance Inspections and Examinations has issued guidelines
for what is expected of firms regarding their defenses against cybercrime.
Advisory firms, take note: The examinations and potential repercussions
could be much more severe the second time around.

"There's a laser focus on the regulatory front regarding cybersecurity
preparedness," said Baas, who helps advisor clients establish secure
networks and appropriate policies to ensure data security. "You don't need
a degree from MIT to deal with this. You just have to know what's expected
of you and hire someone to help if needed."

The experience of R.T. Jones Capital Equities Management, a small RIA based
in St. Louis, provides a cautionary tale. Last September it was slapped
with a $75,000 fine stemming from a data breach originating in China in
2013 that exposed personal information of about 100,000 people — not all of
them clients of the firm. There has been no evidence that any of the
individuals have suffered financial harm.

The SEC came down hard on the firm. It very publicly admonished R.T. Jones
for having no written policies regarding cybersecurity, for failing to
build a firewall to protect customer data, for not encrypting data it sent
to a third-party web server and for not having a response plan for
cyberattacks. The firm notified the individuals of the breach and offered
credit monitoring services to them.

"When it happened, they did everything correctly in response, but
regulators determined they didn't have any documented plan" that would
prevent such an incident, said Baas, adding, "The fine was only $75,000,
but look at the reputational damage."

R.T. Jones, which couldn't be reached for comment, is currently fighting
for its life.

For investors, cybercrime and protection from it should be a central
concern when it comes to their financial advisors. Ask questions and demand
proof of the answers, said Edelman at Financial Computer. A good place for
investors to start is to check out the investor alertissued last fall by
the Office of Compliance Inspections and Examinations.

"Investors need to know the questions to ask, and they need to get answers
with proof," Edelman said. "Every piece of information in the OCIE document
can be demonstrated with proof."

Here are five key questions about cybersecurity that both Edelman and Baas
at TD Ameritrade Institutional suggest investors should ask their financial
advisors:

What are you doing to protect my personal information?
Do you regularly assess the security of your information network and the
potential risks from cyberattacks?
Other than your employees, who else that you work with has access to my
data, and how do you monitor those outside vendors as to their
cybersecurity policies?
Do you have a written cybersecurity plan, and can I see it?
Are all devices that have access to my information encrypted?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160713/cb5adbcd/attachment.html>


More information about the BreachExchange mailing list