In an article by Susan Antilla entitled “Here’s Why You Should Carefully Read Your Brokerage Statements in Down Markets” in the “The Street,” she advises investors to look closely at the fine print in investment firms’ clauses that “guarantee” investors’ money back if their accounts get hacked. Charles Schwab’s “Security Guarantee,” TD Ameritrade’s “Asset Protection Guarantee,” and Ameriprise Financial and Scottrade’s “Online Security Guarantee” are all examples of the promises brokerage firms make to an investor in the event his account gets hacked. Antilla warns that these “guarantees” really only solidify reimbursement if the investor himself has been vigilant regarding his own security. Some examples are:
Did you share your password with someone who wound up stealing your money? Your broker will consider that a transaction that you authorized — a reasonable policy considering that you gave away the keys to your account.
Do you regularly check your account for unauthorized transactions? Fidelity, Scottrade, TD Ameritrade, Ameriprise and Merrill Lynch expect you to review all the information they send in the mail or check your online account frequently for activity that doesn’t look familiar. (In the recent market volatility, some advisers and journalists were urging investors not to look at their statements. Ignore that dangerous advice).
Are you savvy about spotting phony “phishing” emails that try to dupe you into thinking you’re dealing with your broker or fund company? Ameriprise says you can’t respond to, open an attachment in, or click on a link within an email “if you suspect the message is fraudulent.” Other firms have a similar requirement that you not fall for phishers, so take time to learn how to spot and avoid these scams if you’re counting on reimbursement protection.
Another caveat that firms require is the creation of “safe” and hard-to-guess passwords that the investor does not use for any other account. “Safe” and “hard-to-guess” are arbitrary terms, and most firms provide no guidance as to how the terms are defined. One firm, Vanguard, also requires a password to be different from those on other websites, changed on a regular basis, be complex in nature and at least eight characters long.
Cybersecurity
Cybersecurity threats remain one of the most significant risks many firms face, and in 2017, FINRA will continue to assess firms’ programs to mitigate those risks.1 FINRA recognizes there is no one-size-fits-all approach to cybersecurity, and we will tailor our assessment of cybersecurity programs to each firm based on a variety of factors, including its business model, size and risk profile. Among the areas FINRA may review are firms’ methods for preventing data loss, including understanding their data (e.g., its degree of sensitivity and the locations where it is stored), and its flow through the firm, and possibly to vendors. FINRA may assess controls firms use to monitor and protect this data, for example, through data loss prevention tools. In some instances, we will review how firms manage their vendor relationships, including the controls to manage those relationships. The controls should be informed by a number of factors, including a clear understanding of any customer or employee personally identifiable information or sensitive firm information to which vendors have access. We may also examine firms’ controls to protect sensitive information from insider threats. The nature of the insider threat itself is rapidly changing as the workforce evolves to include more employees who are mobile, trusted external partnerships and vendors, internal and external contractors, as well as offshore resources.
We also draw firms’ attention to two areas in which we have observed repeated shortcomings in controls. First, cybersecurity controls at branch offices, particularly independent contractor branch offices, tend to be weaker than those at firms’ home offices. We have observed poor controls related to the use of passwords, encryption of data, use of portable storage devices, implementation of patches and virus protection, and the physical security of assets and data. Second, in multiple instances, firms have failed to fulfill one or more of their obligations under Securities Exchange Act (SEA) Rule 17a-4(f) that requires firms to, among other things, preserve certain records in a non-rewriteable, non-erasable format, commonly known as write once read many (WORM) format. This includes situations where vendor-provided email review and retention services did not fulfill SEA Rule 17a-4(f) requirements. FINRA recently announced enforcement actions against 12 firms for, among other things, failure to preserve broker-dealer and customer records in WORM format.2
If you lost money because of hacking or phishing, you may be able to sue your brokerage firm in the Financial Industry Regulatory Authority (FINRA) arbitration forum. They may be liable for your investment losses because of hacking or phishing, so please call our securities law office in Chicago, Illinois for a free consultation with an attorney. We take cases on a contingency fee basis only and there is no obligation. Our number is 312-332-4200.
Disclaimer
The posting on this site are mere OPINIONS and NOT statements of fact in any way whatsoever. The information should not be relied upon and there have been no findings made against the firms or individuals referenced on this site. In addition, this Blog is made available for educational purposes only and incorporates information from the web as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney client relationship between you and Stoltmann Law Offices (161 N Clark Street 16th Floor Chicago, IL 60601). The Blog opinions should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.
PLEASE NOTE THIS IS ADVERTISING AND IT IS NOT A NEWSPAPER ARTICLE OR POST FROM AN INDEPENDENT OR NON-BIASED, NEWS SITE, NEWS SOURCE OR NEWSPAPER.
