Four steps to shield your IRA from online security threats
Still using the same data to log into your favorite shoe-shopping website and your 401(k)? Let’s rethink that, shall we?
The recent worldwide ransomware scare, WannaCry, prompted financial regulators to issue an alert to firms handling investor money. The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations reminded brokers and investment advisers that a 2015 SEC exam found wide disparities in financial firms’ procedures regarding data security.
According to the review, 26 percent of investment advisers and 5 percent of brokers studied did not conduct periodic risk assessments to identify security threats. Nearly 60 percent of advisers did not conduct vulnerability scans and other critical tests, and 10 percent of brokers had a “significant number” of critical security patches that were missing important updates.
One possible reason for the difference between brokers and fee-based advisers: Independent investment advisers often use third-party custodians to handle actual customer money, and those large firms are the ones performing data security, noted Mark LaSpisa, an adviser in South Barrington, Ill.
Whatever the reason, there are clearly some holes in the safety net — and while it’s always a good idea to know how your retirement plan sponsor, IRA holder or financial adviser is keeping your information secure — it’s also important to do what you can on your own to avoid trouble, experts said.
“Consumers are vulnerable and they often don’t take the steps they should,” said Jonathan Fairtlough, a Los Angeles-based managing director for cybersecurity and investigations at Kroll, a large compliance and risk management firm. “Most people still use their email address as a user name and don’t turn on multi-factor identification when given the chance.”
Fairtlough walked through a couple of chillingly easy ways criminals can get access to the 401(k) account of older workers and seniors who have left their 401(k) accounts in tact with employers. He also offered up four relatively painless ways investors can protect their nest eggs, regardless of where the assets are being held:
■ Turn on multi-factor ID. Many financial firms offer customers the option to have a text message sent to the customer’s phone, displaying a one-time code that must be used to get into an online account. Use these on every account you can. Criminals can find ways to work around this step, but the bigger wall you build, the more inclined they are to look for easier prey, he said.
■ Get a second email address. Set up an email address that will strictly be used for financial accounts, he said. “It can simply be your name with an added word that indicates this is for a financial account,” he said. The idea is to avoid using the same email to both access a $300,000 retirement account and get fabric store coupons, he said.
■ Set phone passwords. This is another area where criminals have succeeded in cracking the code, but go ahead and set up passwords for phone calls to an investment firm, Fairtlough suggests.
■ Creative spelling pays. Data stealers often get access to passwords via websites’ password recovery systems, he said. So, when you are setting up answers to their recovery questions, such as the name of your dog, add an asterisk or other symbol in the middle of your answer. This is particularly important for questions with a limited number of answers, he said, like the color of your first car. Change the answer slightly, but consistently, and you’ll have a unique answer that can be remembered, he said.
Finally, if you’re interviewing potential new financial institutions or advisers, ask how their security measures have changed in the last couple of years to keep up with current threats, he said.