It took months for investigators to figure out the hackers’ cyberattack…
Someone was systematically penetrating the Internet trading accounts of customers at Fidelity, Scottrade and other firms. The hackers changed the accounts’ email addresses and phone numbers as they went along.
Next came the payoff.
With total control of the victims’ accounts — and virtually no cybersecurity to hack — the hackers wrote options contracts and shorted stocks in ways that guaranteed a trading loss.
With another set of accounts, the hackers’ simultaneously took the other side — the winning side — of all those trades … and reaped an estimated $1 million.
But while regulators are finally waking up to the tricks of hackers, that doesn’t mean you’re safe…
Despite numerous accounts over the past several years of hacks and fraud, the investment industry has gaping holes in its security that are leaving you vulnerable, demanding that you take steps to protect yourself.
Federal investigators eventually pieced the online scam together. A Russian national, Petr Murmylyuk, pleaded guilty to securities fraud in 2013.
But the extent of his efforts showed two things:
- Wall Street’s broker-dealers and registered investment advisers are now on hackers’ radar screens in a big way.
- The SEC wasn’t paying attention; the agency’s focus was elsewhere.
But no more. Earlier this year, the SEC said cybersecurity would become an “examination priority” when it looks at firms’ compliance with the agency’s rules and regulations.
Wall Street Was Not Prepared
The SEC also released the results of a survey of more than a hundred broker-dealers and registered investment advisers.
It sheds a lot of light on why we all need to pay close attention — not just to our own online habits, as The Sovereign Society’s privacy guru Ted Bauman so often reminds us — but the practices of the firms handling our investment funds as well:
- 74% of the surveyed firms said they were the focus of online fraud attempts.
- Over half of the survey’s broker-dealers said they received scam emails seeking to transfer customer funds.
- In some cases, the scam emails worked. One-quarter of the broker-dealers reported losses of more than $5,000 per customer. One investment adviser reportedly losing more than $75,000 of a customer’s funds.
- Few investment advisers (21%) and only half of the surveyed broker-dealers carry insurance policies against cybersecurity incidents.
Needless to say, most brokers and investment advisers still have a ways to go when it comes to safeguarding our information. In fact, the SEC’s “safeguards rule” requires broker-dealers, advisers and investment companies to adopt written policies and procedures that should, in reasonable circumstances, protect the information of their customers.
Of course, when it comes to any government regulator, what’s considered reasonable protection — and what’s not — depends on whose side you’re on. For instance, many registered investment advisers aren’t big enough in size to have a chief information security officer — the new ‘hot’ executive title for firms that want to demonstrate their seriousness about the matter.
But perhaps to get the message across to everyone that it’s no longer “business as usual” on ignoring safeguarding rules, the SEC last week put a small St. Louis-based investment adviser firm in its crosshairs.
Too Little Too Late
According to the SEC’s press release, the firm’s web server was hacked in July 2013. Before that point, the firm did not maintain a firewall, encrypt customers’ personally identifiable information or have written policies and procedures regarding the safekeeping of customer data. And the server itself was operated by a third party.
Afterward, the firm did the right thing — it notified customers of the data breach, offered free identity-theft monitoring and took all the other steps it should have done from the start to safeguard their data.
But the damage was done.
Last week, the firm agreed to pay a $75,000 fine and “cease and desist from committing or causing any future violations” of the agency’s customer safeguards rule.
Are You Protected?
The SEC has put pressure on the financial industry to clean up its act in terms of security, but that doesn’t mean you should blindly trust your investment adviser or broker with your most critical information. The truth is no one values your data as much as you do and you need to make sure it’s protected.
Contact your brokerage firm or investment adviser and ask what steps have been taken to protect your privacy. Does the company meet SEC safeguard standards? Has your information been encrypted? Is there at least a two-step authentication process for accessing your data? Does the company have insurance against cyber incidents in the event that they are hacked and your information is stolen?
No doubt the judgment will make more such firms reassess their own efforts (or lack of them). But there’s no reason to wait and find out the hard way if you’re vulnerable.
And hopefully we as customers will help them along by asking similar questions on what they’re doing to safeguard our private information.
Editorial Director, The Sovereign Society