Cybersecurity and Your Brokerage Firm
Information technology (IT) plays a critical role in the securities industry. Unfortunately, cyber threats to the information and computer systems of brokerage firms are increasing, and with these threats comes the risk of potential harm to investors. Dangers include email hack attacks, improper transfer or theft of customer assets, and misuse or even theft of customer data.
FINRA is issuing this alert to encourage investors to understand a firm’s cybersecurity policies and take personal precautions to safeguard their brokerage accounts and personal financial information.
Get to Know Your Firm's Cybersecurity Practices and Policies
Information breaches are not unique to the securities industry, and brokerage firms have been working hard to safeguard against attacks. Asking your firm a few questions, like those that follow, can help you better understand the firm’s cybersecurity activities and policies as they relate to you, the customer.
- What safeguards do you have in place to protect my personal information and assets?
- Do you monitor my personal information to determine whether it has been stolen or misused?
- How do you handle an account intrusion or other malicious cyber event? For example, would I be notified if personal information or assets were compromised—and how would I receive this notification?
- Will you reimburse me if my assets are compromised by a cyber-attack?
- Are there any measures that you recommend I take to personally protect the information on my computer, including protection of passwords or other sensitive information?
A variety of options are available to businesses, including brokerage firms, to verify a customer’s identity. Many data security experts advocate a layered or multiple-factor approach to authenticating a customer’s identity. When it comes to verifying your identity, do you simply have to enter a pin number or a user name and password? This is known as "single-factor authentication."
Cybersecurity experts encourage the use of additional layers of protection, such as "knowledge authentication"—correct answers to "challenge" questions like "What is your mother’s middle name?"—or "ownership factors" like having to enter a randomized PIN generated by a key fob or token that you have been issued. Some firms may also employ device identification that confirms (usually with a cookie—a file that a website puts on your computer to collect information) that the customer’s computer is the same one used by the customer to enroll the account. When you use a different computer or mobile device, the firm’s system may provide one or more challenge questions to verify your identity.
When it comes to passwords, requirements for password strength may vary from firm to firm. In general, stronger password protocols—for instance the use of upper and lower case letters, combined with numbers or symbols—contribute to a safer online experience. Experts recommend that you not use the same password for multiple accounts—and that you change your passwords frequently.
Practice Cyber Safety
Your online security can be enhanced by doing your part to safeguard your brokerage accounts and personal financial information.
Sound cyber safety tips include using up to date firewall and anti-virus programs on your personal computer, as well as formally logging out of all online sessions related to your account once you are finished. If you use apps on mobile devices to access your financial accounts, be sure to password-protect your device—and make sure you select the highest security setting that the app offers (such as disabling quick access or keeping your account open even if you close the app).
Email awareness is essential. Cybercriminals use a variety of phishing techniques—scams that use spam email or a fake website to lure you into revealing your bank or brokerage account information, passwords or PINs, Social Security number or other types of confidential information. Beware of emails that request personal information. And, don't reply to, or click on a link in, an unsolicited email that asks for your personal information. When in doubt, log onto the main website of your bank, credit card company or brokerage firm using the website address that appears on your account statements or credit card—or call your firm using a telephone number you know is legitimate.
Phishing scammers are growing ever more sophisticated. Targeted phishing—known as "spear phishing"—is on the rise. These personalized emails seem plausible (for instance, an email purporting to be from your brokerage firm asking you to update personal information, perhaps related to a "security issue" or other concern). Most brokerage firms never send an unsecured email to request personal information. If such information is required, it is likely to be requested only when you have securely logged into your account.
Finally, read your account and confirmation statements thoroughly to make sure that all transactions that are shown are ones that you actually made or authorized. If you see a mistake or something that doesn’t seem right, contact the firm immediately and follow-up in writing to confirm any oral communication or understanding with the firm.
- SEC Investor Bulletin: Protecting Your Online Brokerage Accounts from Fraud
- FINRA Investor Alert, Email Hack Attack? Be Sure to Notify Brokerage Firms and Other Financial Institutions
- FINRA Investor Alert, Protect Your Online Brokerage Account: Safety Should Come First When Logging In and Out
- FINRA Investor Alert, "Phishing" and Other Online Identity Theft Scams: Don't Take the Bait
- FINRA and the Securities Industry Financial Markets Association brochure, Keeping Your Account Secure: Tips for Protecting Your Financial Information
To receive the latest Investor Alerts and other important investor information sign up for Investor News.