Protecting Your Finances and Data: Cybersecurity Essentials

Welcome to EWA’s Finlit podcast. EWA is a fee only RAA based out of Pittsburgh, Pennsylvania. We hope all listeners of this podcast will benefit as we deep dive into complex financial topics that we will make simplified for you. And we hope that this really serves as a catalyst so that you can make the best financial planning decisions for your family and also save time. Welcome, everyone, on Today’s Finlit podcast, joined by Jameson Smith here. And today we’re talking about cybersecurity. So we’re really going to break this down between three things. So what can you do as a client or an individual? What can you do as an individual? Protect yourself before a threat happens. So we’ll call that proactively. And then also, if something has happened, what to do reactively.

 

Then we’re going to talk about what should you look out for if you do decide to work with a financial advisor, what can that team specifically do to safeguard your information, your money, your assets, et cetera? And then the third thing, and this is really the most important one, is what should you look out for in a custodian? So where is your money actually held? And if you have, like, say, my money is with this insurance company, it’s probably not. They have a custodian that backs up, and there’s several big, large custodians that most people use. So we’ll talk about that as well.

 

And I think that is the most important one, because high level, if something really bad happens where it gets to, like, money is actually getting stolen from some criminal, the custodian needs to have the protections or insurances in place, et cetera. So let’s start with. All right, well, James, let’s just go back and forth. So let’s assume that we are words and nothing’s happened yet. Let’s just go through a couple of things that we can do to protect ourselves. Anticipating, and everyone should be anticipating attack. I mean, the amount of you look this up, what are the.

 

There is a study, basically, Deloitte did an interview. They interviewed thousands of executives for their company. 91% of organizations reported that they’ve gone through some sort of cyber breach. And then I think there was another study I read. I don’t know specifically, but this had jumped up since the pandemic, just because the more remote work people are at home, everything’s more virtual. So, yeah, it’s very common. And then also with AI, too, they’re able to create. They could make a deep fake of us sitting here talking, and it would look like us. They could replicate us. Obviously, it makes hacking much easier.

 

Everyone should be concerned. If you ever used any phone, a computer, et cetera, it should be front of mind. Okay, so let’s go through some general rules, and this is what you can do as an individual. So I think let’s start with the low hanging fruit. And I’m so surprised by this, but whenever you’re public at an airport, at a coffee shop, or whatever it is, the first thing I do is I never use a public wifi. And this is advice I got from a book I read on how to protect yourself. Because we’ve gotten more and more questions every year, is turn your phone into a personal hotspot. Don’t share the password with anyone. Now it’s your channel, your specific Internet that if you’re on a public wifi, it’s so easy.

 

And then you suddenly log into your financial accounts, the chances that can get stolen or go way up. So number one rule of thumb I have is never log into a public Wi Fi. If you do not do anything with your personal information on, mean even checking ESPN, if you have, like, a membership there that could hack, because then they could. So just in general, never go into public Wi Fi. And if you have to, don’t be checking any personal accounts with it. So my workaround with that is I always use a, I change my phone into a personal hotspot. I do have a lot of data in my plan for that specific reason, so I never get compromised. So what about you, Jamie? So what’s your next? I.

 

The biggest thing is your email is the easiest way somebody can get all of your information. So your passwords obviously are really important, but your email password you should protect religiously, have it different than every other password, have dual authentication set up. So be super protective of your passwords, change them regularly. Don’t make them all the same, obviously, and then use as much multi authentication as possible.

 

Yeah. So let’s talk about multi authentication for a second. Every time I log into my financial accounts, I get a text code or an email code. So I prefer a text code because if someone has stolen my information, most likely they have my passwords, including my email. So I try to make all of my. So if I log into fidelity, for example, I get a text code and I need that text code or else I’m not getting on the account. So why that’s important is now, this is an extra layer of security. So if someone in a different country has my passwords, they get on well, they can’t touch anything unless they actually have physically stolen my phone.

 

So the chances that they physically stole my phone, as long as I’m making responsible decision throughout my life, keeping it with me, keeping it protected, the risk, I want to say, goes down dramatically. So I think that one’s so important is make sure now this is not like, okay, now I’m fully protected at all. This is just dramatically reduces your risk of someone actually hacking your accounts if you have that two factor authentication set up for every important possible account that you have. And so you said another thing about email is if someone logs into your financial institution, they also have your, and your codes are going to your email. And they also have your email. Well, they can go in, they can log in your email, you could change your password, and then they could change what email is attached to the account.

 

And then from there it really is where real damage can get done because then they can start getting new codes and change bank accounts and change. And so it takes a lot of work. But these cybercriminals.

 

Experts.

 

They’re experts, yeah. And obviously they’re criminals. So they’re not here to just do this for fun, they’re here to cause damage. So phone authentication, two, factor authentication, super important as an individual to set up.

 

And then I think one other thing to be just being aware of what they’re trying to do. So they’re going to try to get in phishing emails or phone calls, to take your voice recognition. They’re going to try to get into the data, take control of it, grab your data and then ultimately sell your data. So they could sell it to a third party or I forget what it’s called. It’s like ransomware or something is the number one way they trade it. They’ll literally come to you and say, I have your data now pay me to get it back.

 

Yeah, absolutely.

 

So if you’re aware and can recognize it, you can obviously help protect.

 

Okay, so securing your email is super important. So obviously your email, so much stuff goes through your email. I always have a recovery email set up. So I have a work email and a personal email and both are. So if someone were to hack my email, I can have recovery mechanisms in those by having the accounts not linked, but just used as a backup. Now, as far as other tips as an individual, before we go from the proactive stage to the reactive stage, what else, if anything, do you have to add there, Jameson? I’m going to say something I do personally is really three things. One, I focus on educating myself. This is a more and more prevalent thing every year, the amount of cybercrimes goes up on individuals and companies dramatically.

 

Secondly, with AI like deep fakes, and this is just getting easier and easier to do, there’s a joke I saw like a meme where a deep fake was created and they called a senior citizen and said it was something like, I have your password and threatening. And the grandma was like, oh, thank God, what is it? Because they obviously don’t forgot it. So it’s pretty funny. But the deepfakes is really more and more common. And so the three things I would do personally is, one, educate yourself. Two, purchase some kind of insurance program. So I use a company called Lifelock. And lifelock monitors, it’s a small fee, I want to say it’s 30 or $40 a month, but it monitors the dark web. For all my information, anytime something happens to my credit, new accounts open, closed, et cetera, I get notified immediately.

 

And then also I pay for liability protection. Because really what happens if something, worst case scenario, someone steals your identity and you need to hire attorneys to recover it. They cover you up to a million dollars to help with those fees and recovery processes, et cetera. And so that to me, because most of if you’re not at fault and you have a good financial institution like fidelity or a good bank account, or even if you’re putting credit card transactions under fraud, those financial institutions will protect you. They’ll recover your losses as long as you weren’t at fault for it. But there are instances where if you’re negligent and your identity was stolen completely and new accounts were established and there are some things that are not covered.

 

That million dollars of protection just really helps me sleep well at night so I’m not having to pay a legal team recovery. So in my opinion, I’ve never had to use that, thank God. But it’s a sleep well at night mechanism. If everything happens, I pay for it for 1020 years, it’s going to be money well worth spent. And then the third thing I do. So the first thing is education. The second thing is I buy that program, that insurance, and then I also use a program called delete me. And that’s like, it’s really cheap.

 

I’m going to say, I don’t even know, a couple of year they go through because all these tech companies harvest your information on the Internet and they make these profiles where I think the first time I had, because basically the goal is delete your information off the Internet and the dark web as much as possible. And so I think every month they go in and do a new search and start deleting information. But the first time it was dumbfound. It was like probably 50 places that most of my information was on and they go through and spend the time to delete it. So I think that’s an important mechanism as well as just scrubbing your personal information off the Internet. So that’s number one. So number one, education.

 

Number two is the programs I purchased, and number three is I do scan on a monthly basis a high level review of my financial statement. So if you look at the three worlds of my financial life, just as an individual, I really have my day to day, which is just basically like banks and credit cards where all my spending. So there I review once a month and just make sure most of my spending is done on a credit card for points. So the banks, I only spend out of two accounts. Every other account I keep the same balance there like an emergency fund. So those are easy checks. Like I know what the balance should be, easy check.

 

And then once a month I just go through the bank statement with activity ledgers online of my credit card and my bank and just spot check. And every once in a while there’s a couple of transactions. I’m like, that doesn’t look right. And I want to say like three times in my life there have been fraudulent activities. Easy secure message the credit card and say, hey, refund me this and send me a new card. That’s easy. And the nice thing about credit cards is any fraud is easily protected. So I use Chase bank, for example, for most of my credit cards. And from a banking perspective, it’s tougher. So I’d recommend if you can, don’t do debit card purchases. There’s not as much financial protection as a credit card.

 

And credit cards are more incentivized for you to use them because they collect 2% off of most transactions off of vendors. But once a month I’m just doing a high level scan of does every transaction look right? So that’s the short term world. And then the long term world is really fidelity is where most of my investments are kept. And then obviously I have like insurance assets, but there I’m not doing transactions I’m investing money in. And so you can pull up an activity once a month and just see and just do a query what transfers out occurred. And as long as there’s those transfers out, you’re good. I do recommend once a month or once a quarter going through and checking and this takes me 15 to 20 minutes. Once a month because of how simplified.

 

And I have everything consolidated in certain places that are fully protected just to do a high level review. And that’s something I would recommend everyone do as well, is do that high level review. And if something’s been compromised, it’s typically an easy fix if you have your money and transaction set up in the right place. Anything else that you’d add. So we’re still in the proactive world of the self. Before we go to the reactive world of how to protect yourself, which would really just be, let’s assume someone does have your identity stolen. What do I do next? Anything to add in that proactive realm, Jason?

 

I think that’s pretty good summary of everything that people should be thinking about.

 

Okay, perfect. Okay. I guess you ask me, let’s assume identity has been stolen. What it was.

 

What would you do?

 

Paint the picture for me? Because I think that’s going to depend. You’re in Costa Rica, one of my favorite places.

 

Yeah. And someone steals your cell phone and they steal your cell phone and you think they or you know that they got into your fidelity account or.

 

Ooh, okay. Yeah, it’s a good, it’s a hard one. Yeah. Well, actually it’s a pretty easy. I’m going, I’m going to a restaurant. I’m calling fidelity and I’m saying, hey, freeze. My identity has been stolen. Please freeze everything. That’s easy. If I catch that right away, they’re not going to have the time to go in. Do text. First of all, fidelity. Recognize if you’re international and there’s extra safeguards. Like, it’s a pain in the butt. I tried to get on my fidelity account last time I was traveling last year, and it was like I had to call in, which I appreciated because it was so secure. I was trying to make a trade for tax loss harvesting or something at the end of last year. And it was a pain.

 

I’m glad it was a pain, though, because they recognize right away you’re not in the US. Is this you? All these extras, even though I had the two factor identification in. So I would call them and say I would freeze my accounts, which means no money can go in or out of the accounts. And that would take care of that. Then I would call my bank account and I would again freeze the accounts. And then the third thing I would do is I’d take my credit cards, freeze them, and then I would freeze my credit. Then there’s three bureaus I would do that with. And then the damage is really at that point is pretty low. I would call Apple, I use an iPhone, tell them my phone’s been stolen. I believe they could do a know reset. I believe, yeah.

 

I think if you have your. Find my friends to somebody. So if you have one person you trust, I think you can freeze it from if you sign into your Apple id on there. So that may be a good thing to do. You might want to confirm that.

 

But yeah, pretty sure you can. Yes. I’d call Apple. I tried to hard reset and then just start rebuilding from there, but that would actually be pretty. I think I could do all that in a half hour.

 

Yeah.

 

And then I would go in, I would get access to a computer and start changing passwords. But I have my phone on my phone to get those text messages. So that would take a little bit more work.

 

Yeah.

 

So I’d probably have to call. Well. So from a work email, I’d call our it people, they can remote in, they can freeze the work would thank God. But the personal email would probably have to call Google or go to an.

 

Apple store, get a new iPhone, sign in with your Apple id, and then there you go.

 

I don’t know if Costa Rica has Apple stores. The point is, if you’re traveling in an Ashley, I wouldn’t be worried about. I would be able to quickly protect it. I would obviously be stressed, but that’s the highest risk. Do not lose your cell phone or have your cell phone stolen, especially if you’re traveling in the US or anywhere, especially out of the country. But that was good stress test.

 

Yeah. And I’ve done this internationally. If I’m staying in a hotel or an Airbnb, I’ll put my phone in the safe. And then if I go out to dinner or something, I just don’t take my phone with me. Just so there’s nothing that could happen.

 

Yeah. Sometimes I’ll travel with like, a belt that straps or a wallet that straps in your belt loop and you tuck it in. That way no one can actually pickpocket you. I kind of look like a nerd, but no one knows because it’s like, except when you’re paying a bill, you have to pull your pants up. But, yeah, you should be so careful. But these are good stress tests to do, for sure. Okay. So other reactive stuff. If something really happened, they opened up accounts and I would call lifelock. They would start recovering, fighting the fraud. Like if someone opened up a loan, like, credit cards are good, bank accounts are a pain. But generally, if you have a good. If you’re not negligent. And you check with your bank account, do they cover?

 

And then fidelity I’d be the least concerned about because they have protections in place, obviously, and we’ve seen that happen before. And really the big thing is if they successfully open up like a big loan under my name, and then I can’t prove it’s negligent, that’s where the lifelock thing would really come into play. Attorneys would come into play and fight that. And, you know, at that point, hopefully, I wouldn’t be liable for anything. But that’s where freezing your credit is so important immediately. Because if you freeze your credit, that’s where the most damage can get done. The most damage can get done if they steal existing assets. You have, if you have your money at the right place, that’s a very low risk if you know what you’re doing. And the second thing they can do is open up new accounts.

 

So how do you proactively, you, one, have your money at the right place so they can’t steal existing assets, have the right protection in place, and then secondly, you freeze your credit immediately. And then if a fraudulent loan can’t be taken out in your name, and that’s easy to do, it’s more painful to unwind, unfreezing your credit. I meaning it’s going to maybe take a couple of hours, but freezing your credit is generally pretty easy.

 

All right, so what should we look for? Next area is going to be for an advisor.

 

Okay. This is a huge differentiator because most people don’t realize when you work with a financial advisor, your money is never with that financial advisor. Your financial advisor is giving you advice. They may have authorization to trade your account, but they don’t have authorization to take custody of your money. If they do, there’s a whole nother set of regulations and oversight that have to occur. So the next thing is advisor team. The third thing would be the custodian where your money is actually held.

 

I guess. Yeah. The first tip would be have an advisor that’s properly set up that they aren’t custodian your money.

 

Yeah. Any big names of recent crime that’s occurred in the financial space. That’s really where the conflict occurs, is where the oversight, where the advisor has too much control. So I would first look for an advisor team, like you said, that doesn’t take actual custody of your money. So in our example, we have fidelity and Charles Schwab are the custodians, we’re the advisors. Our job is to take all stress off your plate, help you with all decision fatigue, all your financial plan, manage, trade, the investments, make the money movement occur on your behalf. But the custody is obviously happening at Fidelity or Schwab. Okay, so what do we look for in advisor team?

 

So if you’re on the client side, ask the right questions of where’s your information stored, who has access to it. So obviously, like our case, we have, and the first thing, we’re registered with the SEC as an. So that’s look for how an advisor is regulated, whoever sees them. So everything we use, any piece of tech, any piece of data storage, gets audited by the SEC, SBSEC approved. Obviously, they’re a huge regulatory body, so they’ve done their research. They’re a government agency. So first thing, ask where’s your data stored? Obviously, it’s 2023, about to be 2024.

 

They shouldn’t have filing cabinets and paper documents anymore, have it on a secure database on the cloud, who has access to the information that’s accessible on their form, Adv, if they’re an RAA, and that’s all public, you can see who’s on the team, who has access, what their credentials are, what their background is. Those are probably the just big things, but anything else to add?

 

Yeah, I would say so. Make sure the advisor has the right insurances they personally buy, which obviously we do. I’ve talked to a lot of advisors that surprisingly don’t think about this or don’t have this. The second thing is make sure they have a very knowledgeable, outsourced it team that has the control mechanisms if a breach occurs. Advisor is an expert in the financial space and not an expert in it. So we have an IT team that would pay well to manage these risks for us. If something happens or able to take over remotely very quickly, and then you need to have security policies and procedures in place. Employee training, client education. I think the biggest thing is secure communication between your clients is how you get information. It’s convenient to send an email with a tax return or send it.

 

The best way to do this is we use a software called Emoney, and Emoney has a secure vault that we ask clients to upload all that information to. Because emails are easy, you can send a secure email, you can send a document that’s password protected, that’s easy to intercept, versus if it’s in a secure vault. And I know you’ve researched emoney, so give us a little background on why that’s a more secure channel than an email to retrieve information.

 

Yeah, they’re a big I don’t know how big, I guess, in the grand scheme of things, but big in the advisor world. Like most rias, most advisors use their. So they’re obviously, again, all these advisors, sec or FINRA regulated. So they’re overseen. A lot of protection mechanisms, but just their technology from our research is very up to speed, very secure. They’re using top of the line, up to date secure technology for linking and everything, but as far as account aggregation. So, like, e money has a live, obviously, there’s the vault that you can upload documents to, but then there’s a live balance sheet where you can link all of your passwords and everything.

 

And so that from the surface could be like, oh, I don’t want emoney to have all my account logins, which is very fair, but how these technologies work, they basically use, like, a third party company or data storage center that links all the accounts and the logins to. So if emoney or, like, this is the same for how any of these technologies work, if that company got hacked, they don’t have all your information. It’s stored at this third party secure database, essentially. So things like that, just do your homework and ask the right questions and should be able to tell pretty quickly if it’s secure or not. The other thing I’d say with your advisor, make sure they’re transparent and can give you a direct answer.

 

If they can’t answer these questions for you, then they probably have no clue and they’re not thinking about it.

 

Yeah, absolutely. So the other thing I’m going to say is client verification is so important is if a client were to email us, hey, I want money, and transfer it to a new account. We got to get verbal authorization immediately. We have to make sure money movement has to be, there’s got to be client identification before there’s any money movement. And then secondly, we have a list of procedures where if someone’s asking us to, hypothetically, the easiest fraud example would be like, hey, I need money back for this, but I need it sent to this account, which isn’t linked yet. Like red flag, we’re calling right away. I mean, that’s the easiest, low hanging fruit. But there’s so many phishing scams these days where you click on a link and it’s like, it looks like you purchased this.

 

And the recent one I’ve had a lot of clients ask me about actually is actually like the geek squad from Best Buy. There’s a common one. It’s like your plans expiring. Call this, or like, you have a credit or something like that and had a couple of people do that, and then you get on the phone with actually someone live. This is all fraud.

 

That’s where they can take your voice.

 

Now they’re getting your voice, they’re replicating. They’re getting all your information without it. So you just have to be extremely trained, educated, and have a team, whoever has access for the decision making, to go through the proper steps and procedures to make sure that the fraud stops immediately. And you’re verifying everything and being transparent about everything up front. Okay, anything else to add for an advisor team? So, as a client, I would ask, do you have insurance? Just to repeat, do you have cybersecurity insurance? Do you have an it team? What do they use? How do they use it? How do you receive or give information? How do you store information? And then what are your procedures if something does happen?

 

Those are the basic questions I would ask your financial advisor before working with them and make sure they have very strong, suitable answers. Okay, let’s go to the most important one. Obviously, what you can do to protect yourself, your advisory team needs to be very knowledgeable about cybersecurity, but then the most important one is the custodian, because ultimately, this is where your money is. So let’s use fidelity as an example. I know one of the main reasons we chose fidelity is because they’re top of the line cybersecurity protection. So, Jameson, start us off with why. What are some of the basic mechanisms they have in place for cybersecurity protection?

 

Yeah, we have these right in front of us. You could google this. They have all these publications. We probably have 50 pages right here of just documentation that they’ve put out on what they do from high level. They have all the low hanging fruit stuff. Multifaceted authentication. It’s very easy to go on and call it. Like you said, freeze your account, block any money movement. You’re supposed to get a text if anybody logs into your account, any type of security.

 

I get that every time.

 

Yeah.

 

Anytime money is moved, a check is put, cash, anything like that, I’m getting notifications immediately.

 

Anytime you call them, they have voice identification. So if somebody tries to call to be you, they’ll know. And then this was interesting. They were ranked number one for cybersecurity and privacy among all asset managers in 2022 by some organization that studies that stuff. So that’s good. And they’re over. Huge company, over $10 trillion of assets. Anything ever happens.

 

Let’s talk about the pro. So the con of that is they’re at a high risk for cybercriminals are going to go after people.

 

I think wealth management firms in general are high risk because they’re managing people’s money and they have people.

 

Absolutely. That’s where the money is. Right. But they’re at high risk because of their one of the biggest custodians that exist. So the three resources that you can just Google. One is called the defeat the AI enabled cybercriminal. This talks all about deepfakes and what they do, but the real pros is Fidelity has the financial backing, really, to do two basic things. So one is they have the insurances in place. So SBIC insurance is up to $500,000, but they also have additional insurance to cover up to 1.9 million of cash per customer. So literally of cash, like money market cash, and then up to 1 billion in security.

 

So if something happens to fidelity, they have the insurance in place per customer to recover up to a billion dollars of stocks, mutual funds, etfs, and then for cash, specifically, 1.9 million of cash, which is the highest limits we’ve seen.

 

Yeah, I would say, in my opinion, fidelity is probably the safest place you can keep your money from any custodian or.

 

Yeah, this isn’t our expertise, but based upon our in depth knowledge of when deciding the custodian, et cetera. The second article they have is very detailed as protecting client data, and it goes through all of the processes, procedures, ongoing education. What if something happens? How do they detect it? And it talks about all of their governing practices, risk assessment programs, risk management strategies, et cetera. So this will be a couple of hour long podcasts, if we just talk through all this. But for anyone interested, the main message we’re trying to convey to our audience is cybersecurity. Risk is a real thing. You have to be really careful, and you have to do the due diligence to make sure your money’s the right place. We’ve done that in fidelity, and we feel obviously very comfortable.

 

But I do want to end saying this, that risk is not anything we’ve described. I mean, if anything, that’s just management. Risk is the unseen. And so if risk is the unseen, for you, it’s manage, essentially. How well can you respond to something that you didn’t know existed to a new threat that no one’s ever seen before? And that’s where I think it’s really important to have the procedures in place, to have the right team, advisory team in place, and have the right custodian. In place, because that alone, if we look at through, okay, here’s all the ways my identity could get stolen. I would say a lot of institutions could probably handle those, because now that we’ve seen them, most people have put the procedures in place.

 

Well, cybercriminals are always inventing new ways to go after people’s information, to steal identities, to steal assets, et cetera. So risk is really the unseen, what we have not seen before, the new threats that no one’s uncovered. And so having the right institution that has the right backing and the right advisory team to respond quickly and proactively, that’s the most important thing, to really cover yourself from risk again, which I would define as the unseen, the unknown. Any closing thoughts, Jameson?

 

No. Just do your homework, ask the right questions, and make sure you’re doing everything you can to protect your money and your identity.

 

Excellent. Well, thanks for joining us, and we’ll catch you next week. Thanks for tuning in to our podcast. Hopefully you found this helpful. Really hope this is as beneficial and impactful to as many people across the nation as possible. So hit the follow button, make sure to rate the podcast, and please share with any friends or family members that would also find this beneficial. Thank you very much.