Ian Muir

Being vigilant with cybersecurity

Ian Muir

Senior Vice President, Schwab Advisor Services

Ian Muir shares tips for maintaining and strengthening your firm's approach to data security and combatting fraud attempts.

Technology has opened up exciting new opportunities. Today, it is routine to do business, keep in touch, and stay current on world events using the devices we carry in our pockets.

While electronic innovations expand our use of connected technology to make our lives easier and more productive, they also have related security risks that we must be aware of and manage. As an industry, we must continue to work together to ensure that our cybersecurity tools and techniques are strong, and that we use them consistently to protect clients, our firms, and our vital data.

Technology fraud is a threat that, for many firms, doesn't seem relatable or inspire urgency until it's too late. If you've never experienced a cybersecurity breach or been a victim of fraud, it's easy to take a complacent stance on preventive security measures. But the statistics are sobering: According to the U.S. government, cybercrime is more profitable than the illegal drug trade. In 2014, the cost to the global economy from cybercrime was almost $445 billion.1

"The right time to protect your firm from a cybersecurity breach is before you're faced with one."

And fraud tactics continue to evolve, keeping pace with the increasing complexity and sophistication of technology tools and the wealth of information available through social media and online. In many cases, intricate crime rings with teams of people are hard at work, figuring out new ways to steal money from individuals and businesses worldwide. As their approach gets more sophisticated, so must our protective measures.

The right time to protect your firm from a cybersecurity breach is before you're faced with one. Below you'll find a series of best practices for maintaining and strengthening your firm's approach to data security and combatting fraud attempts. I encourage you to review them and ensure that your firm is doing all it can, every day, to maintain strict security standards.

1. Stay up to date with rising compliance standards.

Increasingly, the U.S. Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority, and other regulatory agencies are making cybersecurity one of their key priorities, and they have published information to guide your firm in designing and implementing internal controls and a security plan. We encourage you to review the National Institute of Standards and Technology Framework for guidance on developing a cybersecurity plan. Knowing what examiners are looking for and conducting periodic assessments of your firm's policies and procedures can make it easier for you to stay compliant.

2. Review the "red flag rule."

The SEC and the U.S. Commodity Futures Trading Commission require firms to have a written identity theft prevention program, designed to detect the "red flag" warning signs of identity theft that could occur in their day-to-day operations and to mitigate the damage caused by identity theft. If you haven't done so recently, now is the time to take stock of your firm's methods of collecting, maintaining, and securing your clients' personal data along with your firm's secure information. There are four steps you should consider:

  • Identify relevant types of identity theft red flags.
  • Detect the occurrences of those flags.
  • Create procedures to prevent identity theft.
  • Periodically update the program.

Once your firm's identity theft prevention program is designed, it requires approval and senior management oversight for its implementation and maintenance.

3. Don't use the same password for multiple sites. Encourage clients to do the same.

Using different passwords may seem intuitive, but many people adopt the same password for multiple sites. Keeping track of multiple passwords can be challenging and require organization, but when fraudsters have just one password to access multiple sites, the risk of a security breach is much greater. Everyone should be diligent about creating unique passwords for all sites used, especially financial sites.

"If you haven't done so recently, now is the time to take stock of your firm's methods of collecting, maintaining, and securing your clients' personal data along with your firm’s secure information."

4. Keep current on new fraud tactics.

Stay informed of the latest trends and tactics in cybercrime. Advisors are reporting an increase in fraud attempts that use overnight check requests, especially where the recipient appears to be the client but is, in reality, the fraudster using a compromised account or a very similar email address. Fraudulent invoices are also a tactic that appears to be on the rise. Periodically conducting simple research and comparing notes with your industry peers on fraud tactics can help you recognize suspicious requests and the warning signs of fraud. Be sure to educate your colleagues and firm employees to ensure broad awareness of the cybercrime tactics that pose the greatest threat to your practice.

5. Learn the signs that a client's email account may have been compromised.

Every day, fraudsters successfully take over individuals' email accounts. If one of those individuals is a client, it's a good bet that the unauthorized individual will contact you. They will leverage information from the compromised email account to try to convince you that they are your client, and that they need to transfer money from the client's account.

One effective way to protect against this kind of attempt is to never treat email as a secure channel for client communications. To confirm email-based requests, make sure that you or a designated member of your staff is initiating a call to your client using the phone number stored in your files. For this reason, when you execute a wire request, Schwab requires attestation that you have confirmed each request verbally with the client.

You can also talk to your clients about the benefits of using electronic approvals. It's a more secure way to process wire requests because clients are required to log in securely to Schwab Alliance to approve their request. To learn more about these tools, visit the electronic approvals resource page. There are also dedicated resources on the Client Learning Center that explain the benefits of electronic approvals and how Schwab safeguards online information.

6. Stay SAFE.

SAFE is an acronym you can use to help you remember some of the commonsense practices that can help your firm minimize risk.

Stay watchful and be vigilant for potential security risks, and speak up if you notice anything unusual.
Be Aware of your cyber environment.
Follow sound procedures for all client transactions.
Email—be cautious and safe when responding to emails and when opening attachments.

By following smart, documented processes, staying informed of the newest trends in cybersecurity, and remaining vigilant, we can help keep our clients, our firms, and our data safe.