By Mark Delfino, MBA
CEO & Senior Managing Director
Cybersecurity is a timely and important topic that we take very seriously. HoyleCohen held cybersecurity symposiums for our clients in Sacramento, Santa Monica and San Diego last week. Noted industry expert John O’Connor covered a wide range of topics and offered practical advice to the more than 300 people who attended. What follows are highlights of the event and what HoyleCohen is doing with regards to cybersecurity. We also provide a link to an informative white paper written by John O’Connor on the topic.
John addressed the topic by identifying who the adversary is, how they do what they do, and what we can do to better protect ourselves. While nation-states like Russia may get the headlines, the enemies of average citizens are economic criminals not agents of foreign governments. John described various approaches for cyber-fraud, the most common of which involves stealing user IDs and log-in credentials by putting key-logging ‘malware’ on our devices when we click on an infected link or ad.
Unfortunately, our use of social media (e.g., Facebook) and networking sites (e.g., Linked-In) have made it easier to deceive us. Long gone are the days of generic, misspelled emails from Nigeria. According to John, today’s successful fraudsters buy profile data on us first so they know our primary affiliations and interests, allowing them to craft emails that look like those coming from common, trusted sources.
John spent most of the time discussing how to better protect against online fraud. For those who did not attend a symposium, I strongly suggest you read John’s white paper which summarizes most of the primary actions you should consider. Click here for access to John’s article.
John also covered some topics not mentioned in the article:
Cybersecurity and HoyleCohen
Cybersecurity is one of our highest priorities. Below is a brief summary of what we at HoyleCohen are doing to address it. First, we have 24/7 (around the clock) monitoring of our systems by our IT provider, we do daily anti-virus scans and software updates, and we regularly test our back-up servers in the event of a disaster to ensure business continuity and data redundancy.
Second, we have outside consultants who perform independent reviews of our cybersecurity infrastructure and our policies and procedures to help identify and prevent potential incidents. In 2017, we conducted two types of technical cybersecurity tests. We did a ‘vulnerability scan’ to assess the security strength of our systems and a ‘penetration test’ which involved paying a third-party to try to penetrate (or ‘hack’ into) our systems. We are pleased to report that they were not able to penetrate our systems and we received high marks on both tests with no critical issues or risks identified.
Third, we do extensive staff training that includes cybersecurity topics, role playing and actual examples of fraud attempts. These topics are highlighted because most breaches still involve people being ‘tricked’ by fraudsters. As part of this month’s training, John spent two hours with our staff in each of our three offices to further enrich our awareness of these risks.
Fourth, we’ve created redundancies and extra checks and balances in our processes to help ensure validation and authentication, particularly when facilitating financial transactions for clients. One recent change was requiring two staff members to confirm any disbursement of funds from any HoyleCohen account to a new account or a third-party account to prevent fraud. We know clients sometimes get frustrated with the extra calls or red tape, but we believe it is worth the enhanced protection.
Fifth, we vet and review the cybersecurity controls of critical third-party service providers like Tamarac (our systems/portal provider), our custodians, and other vendors.
Sixth, we are proactive in both identifying and helping resolve any potential issues that might affect our clients when they do arise. For instance, we recently alerted a client’s CPA that their email had been hacked and was being used by a fraudster trying to get information from us on our mutual client.
Finally, it is important for clients to keep in mind that we are only the advisor of a client’s investment assets and that a custodian like Schwab, TD Ameritrade or MTC has actual custody of a client’s money so this adds another, independent layer of protection.
We will be taking some new actions. We will require two-factor authentication for HC client portal access starting very soon. Interestingly, we tried to implement two-factor authentication some time ago then discontinued it due to client complaints about ease of use. That was before Equifax and other high profile cybersecurity breaches. As we heard from John, this approach is one of the best ways to protect yourself today as those who steal user IDs and passwords have not yet found a good way to intercept or access these independent, real-time codes. Two factor authentication is quickly becoming the best practice norm, and John was emphatic that we and our clients implement this.
Better to Prepare and Protect
Cyber risks are here to stay, but this does not mean we should live in fear of technology or try to avoid cyber risks at all costs. As John pointed out, there are many ways to address these risks. As with most risk management decisions, preparedness involves assessing options along a continuum. It’s important to identify the proper balance among security, cost, and convenience for your personal situation.
Cybersecurity is also a moving target. What we do to protect us today may prove inadequate tomorrow. We at HoyleCohen will continue to work extra hard to stay on top of cybersecurity and to help clients do the same. Through education and wise choices, we can better prepare and protect ourselves so we can each live without undue worry while still reaping benefits from technology and its connectedness.
We travel this journey together. As always, please feel free to reach out to us if you’d like to know more or if you feel we can assist you.