Cybersecurity Environment Is 'Terrifying,' USA Financial's CCO Says

USA Financial urges its advisors "to be very careful about the information they send" via email, McGrew says. "If you're sending personal information about clients, or distribution forms, you've got to recognize that if they [hackers] can get your credentials and get your email, they can print out a distribution request and send it to you. Your client could be out of a lot of money in a short period of time."

When USA Financial itself gets a client distribution request, "we always call the client," she says, to ensure it's legitimate. Advisors should be cautious about clicking on links or responding to emails, looking for common red flags. "Look at the domain name—if its 800 characters long, it's probably not legitimate; if the email address doesn't sound right, if the wording is odd" don't respond unless you first confirm its authenticity.

Be particularly skeptical, she says, when the so-called client's request includes a sense of urgency—"I need this $100,000 by tomorrow!" or when the client requests a change of bank to which to send that $100,000.

As an advisor,  if you get a written request from a client that they need a distribution or a wire transfer, call them and verify that the client actually made the request, she recommends.

While making that call may be time consuming, McGrew says there's actually a hidden business benefit in doing so. Present the call, she suggests, as a "a value add to the client" which demonstrates that the advisor is looking out for the client's best interests by confirming the request's legitimacy. "The role of an advisor is shifting to being a family CFO," she says, so this confirmation call is " part of what I do" to protect the client.

How Can Advisors Further Protect Themselves?

1. Beyond instituting the basic cyber protection technology like strong firewalls, McGrew suggests advisors follow USA Financial's internal common-sense physical protection, such as not displaying passwords on a sticky note on your monitor. "Our tech team looks around the office," she reports, "to make sure you can't see passwords" being entered into a device from outside the office or cubicle.
2. Speaking of passwords, McGrew says "we tell our advisors not to use a traditional password" but rather a passphrase, something like "'rocks roll down the hill'," and to refrain from using the same password for all the sites or apps the use. Consider also using password management software like Keeper.
3. "There are so many little ways you can protect yourself," she says, including being careful about accessing information on a portable device. "Lock it out every minute," she suggests, and "enable a kill switch on your phone; kill it if you lose the phone, and wipe it."
4. McGrew encourages advisors to explore cybersecurity insurance, noting that such coverage may well not be covered by your standard E&O insurance policy, which normally covers errors and omissions, "not fraud."

While expensive, cyber insurance can help protect an advisor should a client lose thousands or even hundreds of thousands of dollars because of an attack. "If your client loses $250,000 because of a phishing link, you're going to have conversations with the client about how to recover that money."

If you're an advisor who downplays cyber risk or thinks having cyber insurance coverage is sufficient protection, there's one other potential problem advisors face if they're successfully attacked. "The internet really is a dark web," McGrew warns. "If your name gets out there as an advisor with vulnerabilities," other hackers "will attack you like a lion going after the weakest prey."

Related on ThinkAdvisor:

• Just Do It: A 2018 Year-End Action List for Advisors
• Why Phishing Scams Are Increasingly Targeting Financial Advisors
• T3 Event Shows How Advisors Can Keep Robots at Bay