It’s the nightmare of every independent broker-dealer executive, particularly after the recently revealed Russian hack of upwards of 250 federal government agencies and businesses put a spotlight on cybersecurity. What if criminals breach a broker-dealer’s cyber wall by impersonating its financial advisers?
The phony advisers call the broker-dealer’s support line and request new passwords, which gives the intruders access to the personal information of thousands of clients.
Then the real, targeted adviser gets an email notification about the request and informs the firm. The broker-dealer takes steps to respond to the intrusion but falls short and does not prevent the attackers from accessing the portal through other compromised adviser logins.
That horrific scenario is actually a true story. Voya Financial Advisors paid $1 million in 2018 to settle Securities and Exchange Commission charges regarding a data security breach two years earlier that compromised the personal information of thousands of customers.
The Russian hackers gained access to the U.S. government agencies via a software update by a third-party vendor, SolarWinds. Independent broker-dealers are also vulnerable to breaches at third-party vendors, since they typically rely on such vendors for technology. Building systems and software is expensive and time-consuming for firms that are watching their margins shrink with interest rates hovering once again near zero.
SolarWinds, a network management software company, was secretly hacked in early 2020; the hackers then added malicious code to the company’s software system.
Broker-dealers obviously need to be on their guard for both types of cyberattacks. 2020 was the year that independent broker-dealers needed to rely on technology more than ever, with home-office staff and a large number of advisers working from home or in remote offices.
IBDs and advisers often don’t have sophisticated authentication systems that use text messages or phone calls to sign on to networks. Are they ready if they’re the target of a sophisticated cyberbreach in 2021?
“By not having a modern, secure, multifactor authentication for each login, independent broker-dealers are inviting trouble,” said Steve Hunt, senior analyst on Aite Group’s cybersecurity team. “It’s not like they are asking for trouble, but to a hacker they look like the one house on the block with the dim porch light and flimsy lock on the door.”
“After any data breach or attack each enterprise should ask the questions, ‘Can this happen here? And what controls do we have that would prevent this type of attack?’” Kevin Murphy, senior manager at T-Mobile, wrote in an email.
“In this particular case, do we require a secure development and build environment from our vendors?” Murphy asked. “Is it part of our third-party agreements? A secure authentication is certainly part of a secure development and build environment and should be one of the controls in place.”
“Based on the SolarWinds attack, enterprise customers need to review their third-party agreements and review the attestations for the security of the patches,” or a set of changes to a computer program meant to update it, he added.
Cybersecurity was the top near-term tech concern for independent broker-dealers, according to the 2020 InvestmentNews Adviser Technology Study, and was cited by 77% of firms who participated.
Some firms are taking extra precautions, while others are not. Sixty-five percent of IBDs had at least some cybersecurity coverage in their E&O — errors and omissions — insurance, and 29% purchased supplemental insurance for cyberliability, according to the study.
The threat is real for advisers. Seven percent of all advisory firms have had data compromised as the result of a cybersecurity breach, according to the study.
Broker-dealers rely on outside or third-party vendors for technology and other services and can sometimes suffer ill effects as a result.
The Financial Industry Regulatory Authority Inc. closed out 2020 by hitting LPL Financial, the largest independent broker-dealer in the industry, on Dec. 31 with a $6.5 million fine due to shortcomings in a variety of supervisory issues, ranging from record keeping to fingerprinting of non-registered employees and supervision of advisers’ consolidated reports.
From January 2014 to September 2019, LPL fell short in its supervision of consolidated reports generated by outside, third-party vendors that its advisers used, according to Finra. The vendors did not send the reports to LPL and the firm did not review them.
One former LPL broker exploited the weak supervision of consolidated reports, essentially documents that summarize customers’ assets, to send reports containing fictitious assets to several LPL customers as part of a $1 million Ponzi scheme, according to Finra.
While the lapse in LPL’s supervision of the reports is not a hacking issue, it shows the sprawling access that third-party vendors have inside independent broker-dealers.
“IBDs are different than the victims of the SolarWinds-related attack — they’re not big organizations that foreign attackers want to go after — but they are susceptible to security shortcomings that everyone faces,” said Aite Group’s Hunt.
“Because of the SolarWinds attack, we are reviewing the data protection agreement with third-party vendors to make sure we have those protections in place,” said Nick Harness, chief information officer at Kestra Financial.
“And we’re about to restart those conversations to see what vendors’ cybersecurity controls look like and other reviews, too,” Harness said.
Kestra does the initial review in-house and then uses a consultant to complete the majority of the due diligence grunt work of a tech vendor exam, he said.
“In an ideal world, those reviews would be similar across vendors and expect that to be a challenge,” Harness said. “In our industry, there are a lot of fintech partners and there will be gaps in those controls. SolarWinds highlighted that everybody is not immune to this.”
Reliance on outside companies and vendors makes it imperative to be on guard for such attacks.
“It’s not realistic for us to eliminate using third-party vendors, so it’s down to intense due diligence of the third parties you are using,” said Amy Webber, president and CEO of Cambridge Investment Research, a leading independent broker-dealer.
It’s a matter of when, not if, a B-D will face a cyberattack, she added.
“We chose not to do business with certain companies because their risk mitigation wasn’t strong enough,” Webber said. “At one point in time, our advisers used a system to store client documents so everyone, the accountants, the attorneys, could look at them in a vault-type facility. But there are a lot of vaults we can’t do business with because they are not safe enough.”
“You have to be willing to say no to some vendors and keep on looking,” she added.
As our second lead editor, Cindy Hamilton covers health, fitness and other wellness topics. She is also instrumental in making sure the content on the site is clear and accurate for our readers. Cindy received a BA and an MA from NYU.