Perfect Practice

Government hack raises red flags for investors

Shelly Schwartz, special to
Most significant breach in US history: Rep. McCaul

Recent news that Internet on 4 million current and former federal workers earlier this year is just the latest in a seemingly endless litany of online security breaches making headlines of late—and making Americans wonder if they can trust digital gatekeepers at both public and private institutions with their personal and financial data.

Financial advisors are aware of their clients' concerns—and share them. For certified financial planner Stacy Francis, the grammatical errors were the first red flag that a recent email her firm received was likely a scam. The high-pressure language was another.

"The perpetrator must have known our client personally, because he knew she was on a plane to Colombia for a conference, and he referenced it in the email," said Francis, president and CEO of Francis Financial, recalling the urgent request for a wire transfer she received back in February.

Dagmar Heymans | E+ | Getty Images

This one came directly from her client's email address—the hacker had broken past her client's firewall and accessed her contact list.

"It said she was jumping on a plane now and that she needed the money wired to a specific bank, with a routing number, for when she landed," Francis said. "After we didn't respond to the first email, the second one immediately after said, 'Are you not in the office?'—which is every advisor's fear, that their client thinks they're out on the golf course.

"It was very convincing, but because of our protocols in place, he didn't get away with it," she added.

Read MoreWhat's worrying investors now

Indeed, Francis Financial requires a notarized letter and a personal phone call from the client before transferring any money to a third party.

Well done, said Financial Planning Association president Ed Gjertsen II, who notes that protecting client data in the age of identity theft, hackers and cyberattacks has become an issue of grave importance.

It's evident that more of an investors' financial life is exposed online, meaning that data security has become top of mind for financial advisors.

"We take a comprehensive approach with clients, which means we are potentially holding very sensitive data that is basically the key to our clients' financial lives," said CFP Gjertsen, who is also vice president of Mack Investment Securities. "Outside of Social Security numbers and dates of birth, we may have information on where they keep their accounts and what the account numbers are."

To be sure, working in an industry that is based on a great deal of trust, financial advisors understand that they cannot have their reputation damaged as a result of a cybersecurity breach.

To safeguard that information and keep it out of the hands of predators, financial advisors are stepping up their game, using a combination of cybersecurity, internal controls and training.

Assuring cybersecurity

Advisors who adhere to industry best practices, for example, store client records on secure servers that prevent unauthorized access to the network via encryption technology.

Christopher Olsen, a CFP with Ameriprise Financial Services, said his practice also encrypts office equipment containing client data to prevent a leak should the device become lost or stolen.

That's critical, Gjertsen said.

"Whether you are a sole practitioner or a firm with billions in assets, you have to be vigilant about what happens if your laptop or phone gets stolen," he said. "We don't think about it, but our phones have become mini-PCs, so you need a code to lock it down.

"The cloud is so ubiquitous that it's opening up the potential for data breaches."

Gjertsen said his office also uses the latest malware detection software to flag any email that may contain viruses that would damage or disable their computers.

"Your weakest point is anyone who doesn't understand what a well-placed email from a nefarious source can do," he said. "We tell our staff, 'When in doubt, stop, pick up the phone, and call the company that supposedly sent it,' because it is a technological arms race in cybersecurity.

"The more sophisticated the hackers become, the more sophisticated the cybersecurity presentation methods have to become."

Read MoreAdvisors turn to robo firms

As backup, Gjertsen said, his practice performs daily "cybersweeps" on its computers to flush out any viruses that may get through.

Francis said her office also sets clients up with an Emoney account, which enables them to view current values of assets and liabilities, track and categorize spending and access daily reports.

It does not, however, let them execute transactions, such as paying bills or transferring money from checking to savings.

"The reason we don't want them to have that capability is we want to make it more secure so no one can access the account and use their money to send to a different account or purchase something," said Francis, noting the password-protected account information is stored offsite on a secure server that uses 256-bit encryption, the most bulletproof security available.


Verifying that clients are who they say they are is the first line of defense.

When opening new accounts, Lillian Meyers, a certified financial planner with Meyers Financial, cross-checks clients' driver's license and Social Security numbers to verify their identity. She also asks clients who phone in to discuss their account to confirm their address or birth date.

Read More10 ways advisors can stand out

Other advisors ask clients who call in to answer such questions as where they vacationed last or the name of their eldest child—personal questions to which an advisor would know the answers, thanks to a close working relationship.

Increasingly, financial advisors also require two-step authorization before disclosing client information to third parties, such as tax professionals, mortgage lenders, banks, attorneys, trustees—and even spouses. That typically includes a signed form, personal phone call or notarized document.

Gov't official: Cyber attacks to be bigger problem than terrorism

Olsen at Ameriprise, for example, asks all clients to sign a form authorizing him to speak with third parties, whom they must identify by name. The form also indicates that the third parties are authorized to talk to him.

Likewise, advisors do not discuss account information with family members who are not named to the account without a power of attorney, a legal document stating they are authorized to make financial decisions on behalf of their client.

Internal controls

Internally, financial advisors who make client privacy a priority also put policies in place to safeguard sensitive data.

Gjertsen, for example, limits access to account information to only those employees who require it to do their jobs.

"Different firms have different rules, but none of our employees have sensitive client information on their phones, just the advisors," he said. "That data is password-protected, with the ability to remotely swipe it should it become compromised."

For her part, Francis requires her employees to change their computer login and email passwords quarterly and instructs her staff never to include full account numbers in email correspondence.

It behooves our profession to be very forward-thinking in protecting client data.
Ed Gjertsen II
vice president of Mack Investment Securities

She also provides in-house training for staff members on security protocol and offers seminars for clients to help them help themselves.

"We can do everything in our power to protect our own information, but what our clients do has an even bigger impact," Francis said. "We recently had a speaker in who was phenomenally helpful in talking to our clients about shredding credit card offers they receive in the mail but don't want and being careful about checking their credit reports—including their minor children's, which is a very disturbing new scam."

Trust is essential between financial advisors and their clients.

Read MoreWhen your advisor disappears

After all, consumers must have confidence that they are in qualified hands, that their investment objectives are understood and that the guidance they receive will help them meet their short- and long-term financial goals.

But before the conversation can even begin, they must have faith that the personal information they provide will be kept safe and that any threats to cybersecurity will be skillfully managed.

"We are in control of a lot of sensitive data," Gjertsen said. "It behooves our profession to be very forward-thinking in protecting client data."

—By Shelly Schwartz, special to