Data breaches, fraudulent activity, and online tricks and traps are all around us. It happens so often we’ve dubbed March fraud month to raise awareness of the growing issues. In fact, we’ve got enough to say about it that we’ve broken up this article into two parts. Part one looks at two factor authentication (TFA) […]
Data breaches, fraudulent activity, and online tricks and traps are all around us. It happens so often we’ve dubbed March fraud month to raise awareness of the growing issues. In fact, we’ve got enough to say about it that we’ve broken up this article into two parts. Part one looks at two factor authentication (TFA) and your responsibilities as a DIY investor. Part two examines investor confidence and how you can check to be sure your advisor is trustworthy, accredited and competent. To cap things off, we’ve also included some handy resources at the end of Part one.
First things first: don’t freak out. Despite the multitude of risks and negative headlines concerning online activity, there’s plenty of security, and lots you can do to ensure your online brokerage account is safe and secure.
That said, what DIY investors cannot do is stay complacent, or just assume that an online brokerage is either solely responsible for online account security or necessarily doing all it could to keep investment safe. Just like learning about how to choose investments comes with the territory of investing online, going the DIY investor route also requires learning enough about technology and online security to ensure that access to your trading account is as safe as is reasonably possible.
While online brokerages may have regulatory compliance standards in place that ensure a minimum level of security, investors (i.e. online brokerage clients) must also take steps to keep up too.
It’s a handshake agreement between you and your online brokerage that only works when you both maintain a steady grip.
The good news for DIY investors is that most Canadian discount brokerages have a security agreement of one kind or another, offering a “100% security guarantee.”
Those agreements, however, have stipulations that depend on a DIY investor maintaining good security practices, which begs the question, what strings are attached to the ‘100% security guarantee?’
Most guarantees offered by Canadian discount brokerages are limited to “direct losses” in your online brokerage account that come about from “unauthorized” activity. At the very least that means they likely won’t cover losses that occur if you allow someone to use your account and then that person cleans you out. Also, most online brokerage security guarantees say that you must adhere to the conditions they have placed on your end. That might include installing up-to-date software such as firewalls and frequent passcode changes, among other conditions. The bottom line: Learn them. Know them. Do them.
Online security conditions vary among online brokerages, so be sure to check yours out—and carefully.
Here are some common concerns:
These aren’t anywhere near all the conditions that you might have to meet for your internet security guarantee to kick in. And, in most cases, whether you have met the required conditions is determined by the online brokerage, not you. So, you might want to track things like how often you change your password and, at a minimum, regularly check your account (even if you’re a passive investor) to ensure no irregular account activity is taking place.
Ultimately, account security is a two-way street, and you might want to ask your online brokerage if their security system is the best it could be. More and more companies online are turning to two factor authentication, aka 2fa or TFA, as data breaches and fraud become only more prevalent.
Of 14 Canadian online brokerages, three currently offer two factor authentication (TFA) including BMO InvestorLine, Interactive Brokers and HSBC Invest Direct. But what is TFA, anyway, and does it matter to have it as part of your log in system at your online brokerage? Well, the short answer might be, how much do you care about your money and investments?
If you don’t know already, two factor authentication (TFA) requires two steps, or factors, as part of the authentication process when you access your account.
The first step is your username and password. The second step is either a physical token (like your debit card) or a PIN. The PIN is usually sent to you via your cell phone when you enter your user name and password. You can see it’s a pretty secure approach since only you (presumably) have your phone with you, and only you know your username and password.
The 11 online brokerages that currently do not use this system have other, multiple levels of security. These include 128-bit or even 256-bit encryption, multiple firewalls, anti-virus software, internal protocols and constant electronic monitoring, among other measures. Thought hackers get better all the time, two factor authentication (TFA) may be the best security around right now.
Data breaches cost Canadian companies an average of $6.03M every time they occur according to The Ponemon Institute, and Blackberry estimates that total costs for Canadian companies will reach $23B by 2019.[i]
And, like most costs, those losses are eventually passed on to consumers. Canada’s regulatory agencies are also weighing in on the matter. The Investment Industry Regulatory Organization of Canada (IIROC) itself the victim of a data breach in 2013[ii] offers a cybersecurity report card to its member organizations.[iii]
As well, the Mutual Fund Dealers Association of Canada (MFDA) offers a 4-part toolkit that investors can use as a guide including checking out your advisor and the organization to see if either has been litigated against.
Costs alone may lead to two factor authentication (TFA) become more widely used, as losses from data breaches or hacking can be fantastic. While industry certainly has financial motive to prevent exploits, DIY investors are making their thoughts on the matter heard too.
In 2016, for example, Redditors had a vigorous debate over security at a popular online brokerage, Questrade. One redditor commented, “I think this should be a higher priority than their many website facelifts of recent months.”
As they often do on the DIY investing forums, John, a support representative from Questrade, responded: “I can confirm that we have moved beyond the investigation phase and are working on a two-factor authentication solution. We will be announcing more details as the project progresses.”
If your DIY investor account is breached, act fast
In the event your account is compromised, there are several things that will need to be done relatively quickly to qualify for coverage of an online brokerage security guarantee.
Here are a few:
DIY investor takeaways
Although most Canadian online brokerages do offer guarantees protecting investors from unauthorized access, the fine print of what clients must do often varies from brokerage to brokerage. It is therefore important to ensure that you comply with your discount brokerage’s specific conditions to have the guarantee apply.
Finally, here’s a list of a few extra resources to help boost online fraud awareness.
Are you susceptible to fraud, security breaches and online vulnerability?
[i] Sagan, A. (2016, June 29). Average cost of data breach in Canada is $6.03M: study. Retrieved from http://globalnews.ca/news/2793414/average-cost-of-data-breach-in-canada-is-6-03m-study/
[ii] The IIROC lost financial information for 52,000 clients involving 32 investment firms when a laptop went missing in February, 2013. IIROC. (2016). IIROC to support clients whose personal information was on a lost portable device [Press release]. Retrieved from http://www.iiroc.ca/Documents/2013/d8d465f9-0a37-4325-8732-1b12cbd2ddb8_en.pdf
[iii] IIROC. (2016). IIROC issues cybersecurity report cards for dealer firms [Press release]. Retrieved from http://www.iiroc.ca/Documents/2016/8272fe2a-a1a5-4319-9b0c-7739d04ff097_en.pdf