Complacency Is Weakest Cybersecurity Link: Dalbar/ThinkAdvisor Study

Despite the increasing fear Americans have of personal and financial information being stolen, most financial-services firms have been complacent on updating or implementing state of the art — or even basic — cybersecurity technology, according to a recent study by Dalbar/ThinkAdvisor, "The State of Authentication in Financial Services."

The most significant finding of the research is "generally how passive people are about the subject," says Lou Harvey, president and CEO of Dalbar, a Boston-based independent financial-services market research firm.

"The more we've examined, the bigger the shock it is as [cybercrime] keeps growing. Look at the number of incidents," he explained in an interview. "Think about the last day you didn't see a news item about cybertheft. I imagined everyone would be up in arms with [cybersecurity], but they were not, and that certainly caught my attention."

The survey of broker-dealers, sponsored by ThinkAdvisor, Dalbar and 15 financial-service firms, aimed to identify the greatest deficiencies in cybersecurity authentication and to "create a roadmap to improving protection," Harvey says.

The research revealed that 74% of firms have the same practices they've had for the past five years, and only a "paltry" 4% are planning to adopt new practices, Harvey says, adding that he did not anticipate these results.

"No one wants to make a big ado about the threat," he explained. "When something goes wrong or issues arise [it's] outside of the financial-services [industry], so it doesn't grab the attention it should."

"Unless it happens to a firm or an advisor, it happens in the outside world. There's a huge difference with someone who has come face-to-face with cybertheft, as opposed to a vast majority who have not," Harvey explained. "Those who have had accounts opened or money withdrawn are passionate about the issue, but that has not translated to a general concern."

Most firms have run across the phishing of their accounts, but nothing in a big way, like 10,000 accounts being affected. "Until someone like Julian Assange gets out of playing with the government and starts playing with money," firms likely will not move to make changes, Harvey says.

More Key Findings

The most widely used authentication practices within the industry are procedures for failed logins (66.1%), while the termination of sessions after a period of inactivity is used by 60.4%, according to the study.

In addition, 57.3% of firms have the ability to cancel, replace and communicate about a password if an account has been compromised.

The best-fortified businesses are retirement service providers, which take advantage of 30.1% of authentication practices, followed by investment providers (29.7%) and life & annuity providers (28.7%).

Key points of access by bad actors include websites (at 34.3%), followed by mobile devices (28.7%), interactive voice response (22.9%), phone centers (21.6%) and electric statements (24.7%).

Phone centers that employ humans thwart thieves, since an account or other change must go through a real representative and not just a computer, which Harvey refers to as a "picket fence" defense. The "stone wall" defense is an aggregation of all defenses stacked together, he says, not just one or two.

Financial advisors should be very concerned about the cyber defense of their broker-dealers and other institutions that hold client assets, such as investment firms, insurance companies and record-keepers, Harvey points out.

"Advisors have a role in all of this. The advisor is going to be called to account if something in fact goes wrong. If a client turns assets over to an advisor, the advisor puts them somewhere, and they get [stolen], the client will blame the institution, but doesn't the advisor have complicity for having it [at that broker-dealer or other firm] in the first place?" he asked.

His answer is "yes." Advisors generally believe that client assets are safe thanks to the diversification of their investments, "but are you [diversifying the] institutions you use [for cyber defense]?" the Dalbar executive inquired.

Other Research

According to a recent study by the American Institute of CPAs, eight in 10 Americans are concerned about the ability of businesses to safeguard their financial and personal information, and three in five say they or an immediate family member have been the victim of some scheme to defraud them, ranging from a letter or phone call from someone impersonating an IRS agent to someone opening a line of credit in their name.

In late March, New York Attorney General Eric T. Schneiderman released a report stating that there were 1,583 data breaches reported in New York State in 2017, exposing the personal data of 9.2 million New Yorkers — four times the number impacted in 2016.

To prevent the loss of investor assets, advisors need to question their BDs about to their cybersecurity practices. "It should be a part of every RFP," the Dalbar chief explained.

Though many firms have been hacked for clients' personal information, it will take a major financial loss to move the bar. "It seems to me that once we have an ugly scandal with money lost as opposed to personal information [being taken], this will get people's attention," said Harvey.

***

The key findings of the Dalbar/ThinkAdvisor survey on how firms use certain authentication practices are listed below; a mark (X) in the Usual Practices column means more than a-third of respondents use the practice and therefore it is considered usual.

ID	Authentication Practice	Number Responding	% in Use	Usual Practice
1	Username/Password for identification	294	54.1%	X
2	Confirmation process for changing username/password/email	294	47.6%	X
3	PIN for authentication	294	19.7%
4	SSN for identification or authentication	238	30.7%
5	Two Factor Authentication – a process that involves both: Factor 1 – information that the user knows (like account number) and – Factor 2 – something that they have (such as a token) or a separate channel (such as email or text message)	282	25.5%
6	Multi-tiered authorization (i.e. Tier 1- Account info; Tier 2- Personal data/transactions)	228	33.8%	X
7	Personal security questions	282	41.8%	X
8	Separate on-file medium for authentication (phone/email/etc.)	282	36.2%	X
9	Voice ID	282	9.6%
10	Fingerprint	176	15.9%
11	Facial Recognition	176	3.4%
12	Other biometric (please specify)	226	0.0%
13	Patterns in login history to alert for possible risk	78	28.2%
14	Detection of change to flag possible risk (Device/IP address/etc.)	176	34.7%	X
15	Challenge-response test such as Captcha	226	9.7%
16	Changes in volume mix of activity	224	23.2%
17	Same IP address in activities in other accounts	120	20.0%
18	Terminate session after timed period of inactivity	224	59.4%	X
19	3rd party user management/authentication solutions	280	22.5%
20	3rd party fraud prevention solutions	280	30.7%
21	Procedure for undelivered email	280	38.6%	X
22	Procedure for undelivered standard mail	280	51.8%	X
23	Procedure when there are no logins for an extended time	224	19.6%
24	Procedure for multiple failed logins	224	63.8%	X
25	Temporary password for immediate access	224	41.1%	X
26	Ability to cancel, replace and communicate password if account is compromised	280	56.4%	X
27	Password expiration after a period of time or set number of uses	224	23.2%
28	Multiple source verification for transactions (i.e. advisor and client)	226	27.0%
29	Restrictions on transactions that could be used for fraudulent purposes (address/registration change, etc.)	226	53.1%	X
30	Limit access for high profile accounts	280	22.5%

Complacency Is Weakest Cybersecurity Link: Dalbar/ThinkAdvisor Study

Resource Center

Trending Stories

Complacency Is Weakest Cybersecurity Link: Dalbar/ThinkAdvisor Study

Related Stories

Resource Center

Trending Stories