The Cambridge Cyber Summit

Advisors' account security may leave your money vulnerable

Luke MacGregor | Bloomberg | Getty Images

Cybersecurity isn't often top-of-mind when you're hiring a financial advisor, but it should be — for the sake of your financial security.

While 8 in 10 advisors say that cybersecurity is a high priority, only 44 percent say they fully understand the issues and risks, according to a new report from the Financial Planning Association's FPA Research and Practice Institute. Just 29 percent say they are fully prepared to manage and mitigate cybersecurity risks.

The survey polled 1,015 financial advisors nationwide during July. The margin of error is plus or minus 3.07 percentage points.

"They see the regulators turning up the heat, they see the focus on the industry," said Bryan Baas, managing director of risk oversight for TD Ameritrade Institutional, which sponsored the survey.

The Securities and Exchange Commission's Office of Compliance Inspections and Examinations has issued requirements on cybersecurity preparedness. The Financial Industry Regulatory Authority also reviews firms' compliance on cybersecurity practices and rules.

Advisors haven't been a prime target for cyberattacks yet: 657 breaches exposing more than 28.6 million records have occurred this year, according to data from the Identity Theft Resource Center. The broad category of financial institutions, including banks and credit-card issuers, accounted for just 21 of those breaches and 5,262 records.

But the risks for your money and your data are there, whether you're working with an advisor from a big-name firm or a sole proprietor, said Mike Patterson, vice president of strategy for consulting firm Rook Security. Bigger firms tend to dedicate more resources to data security, but they also have bigger client lists (and balances) that make a more attractive target for hackers and thieves.

"Some of the small firms are very much off the radar, but they may not have a person dedicated to security," he said.

Here's what security experts say you should be asking your current or prospective financial advisor, and the other steps you should take to secure your financial data:

What to ask your advisor

How do you protect my data?

"Most security questions are going to be out of the familiarity zones for the typical consumer," said Patterson.

What you're looking for, he said, isn't a particular kind of technology, but an answer that tells you the advisor has thought about security — that there are protocols and protections in place. Your advisor should be able to tell you something more specific than that the firm has a security team or that they take data protection "seriously."

The SEC requirements and FINRA checklist are good starting points.

Where will my data be stored — and who will have access?

The more places your information is stored and the more people have access to it, the more potential points of attack an attacker has, said Hitesh Sheth, president and chief executive of security software provider Vectra Networks. Encrypted databases don't mean much if the advisor takes work home on an unencrypted thumb drive or an assistant in the office falls for a phishing email.

Keep in mind that the threat may be physical rather than digital if the advisor prints copies of your documents or takes paper notes during your meetings and phone calls, he said. Ask about the security for those papers that are stored, too.

What happens to my data after our relationship ends?

It's a good idea to know what will happen after you're no longer a client, said Kurt Roemer, chief security strategist at software company Citrix. The firm should have policies for safely disposing of former client's data, and a succession plan if the advisor retires, switches firms or dies.

Have you ever been the target of a cyberattack?

Some people learn from their mistakes, others don't, and most fall into the latter category, said Ryan O'Leary, vice president of WhiteHat Security's Threat Research Center. Consider it a red flag if a prospective advisor has been hacked, he said. Ask what policies and procedures have changed as a result of that incident.

How will you help me in the event of a breach?

You want to know that there are policies in place to notify you quickly that there has been a breach and what information has been compromised, said Patterson. The firm should also have a cyber and privacy liability insurance policy to cover any losses.

What you can do

Don't overshare

Depending on why you hired an advisor — creating a financial plan versus managing your portfolio — sharing info like your Social Security number or account numbers might not be necessary. If you're sending account statements or tax returns, black out such personal information, said Matt Rodgers, head of product for E8 Security, a cybersecurity analytics firm.

Don't be afraid to question the need for such data. "Ask, 'Why do you need this? What are you going to use it for?'" he said.

Nor should you share your own login information for financial accounts, even if the advisor needs access, said O'Leary. Brokerages allow you to fill out paperwork granting an advisor access and specifying actions he or she can take on your behalf.

Secure data transmissions

"As much as can be kept off of email, the better," said Patterson.

Either party's email could be the target of an attack, multiplying the risk of sensitive personal information falling into the wrong hands, he said. Use a secure file-transfer service, or if the firm has one, a secure client-access portal.

Recognize phishing attempts

After a breach, attackers may pose as your financial institution or advisor, sending emails designed to trick you into revealing more financial information. Don't click on any links in emails urging you to log in, change your password, sign up for credit monitoring services or take some other action, said Roemer.

Instead, use channels of communication you know to be correct — calling the office directly, for example, or typing your financial institution's web address directly into a new browser window.

Set up communication protocols

Agree upfront with your advisor on how you'll handle any important communication or account instruction, said Rodgers. (He and his advisor, for example, have agreed that his advisor will email, asking Rodgers to call the office.) That kind of setup prevents an attacker with access to either party's email from gaining access to more financial information — or cash.

"Having email passwords cracked is a fairly common issue for all of us," he said. "We don't want to put our financial lives in jeopardy because we didn't make some common-sense decisions upfront."