Complacency Is Weakest Cybersecurity Link: Dalbar/ThinkAdvisor Study

The State of Authentication in Financial Services report highlights what advisors need to ask partner institutions in order to best protect client data and assets from potential cyber vulnerabilities.

Despite the increasing fear Americans have of personal and financial information being stolen, most financial-services firms have been complacent on updating or implementing state of the art — or even basic — cybersecurity technology, according to a recent study by Dalbar/ThinkAdvisor, “The State of Authentication in Financial Services.”

The most significant finding of the research is “generally how passive people are about the subject,” says Lou Harvey, president and CEO of Dalbar, a Boston-based independent financial-services market research firm.

“The more we’ve examined, the bigger the shock it is as [cybercrime] keeps growing. Look at the number of incidents,” he explained in an interview. “Think about the last day you didn’tsee a news item about cybertheft. I imagined everyone would be up in arms with [cybersecurity], but they were not, and that certainly caught my attention.”

The survey of broker-dealers, sponsored by ThinkAdvisor, Dalbar and 15 financial-service firms, aimed to identify the greatest deficiencies in cybersecurity authentication and to “create a roadmap to improving protection,” Harvey says.

The research revealed that 74% of firms have the same practices they’ve had for the past five years, and only a “paltry” 4% are planning to adopt new practices, Harvey says, adding that he did not anticipate these results.

“No one wants to make a big ado about the threat,” he explained. “When something goes wrong or issues arise [it’s] outside of the financial-services [industry], so it doesn’t grab the attention it should.”

“Unless it happens to a firm or an advisor, it happens in the outside world. There’s a huge difference with someone who has come face-to-face with cybertheft, as opposed to a vast majority who have not,” Harvey explained. “Those who have had accounts opened or money withdrawn are passionate about the issue, but that has not translated to a general concern.”

Most firms have run across the phishing of their accounts, but nothing in a big way, like 10,000 accounts being affected. “Until someone like Julian Assange gets out of playing with the government and starts playing with money,”  firms likely will not move to make changes, Harvey says.

More Key Findings

The most widely used authentication practices within the industry are procedures for failed logins (66.1%), while the termination of sessions after a period of inactivity is used by 60.4%, according to the study.

In addition, 57.3% of firms have the ability to cancel, replace and communicate about a password if an account has been compromised.

The best-fortified businesses are retirement service providers, which take advantage of 30.1% of authentication practices, followed by investment providers (29.7%) and life & annuity providers (28.7%).

Key points of access by bad actors include websites (at 34.3%), followed by mobile devices (28.7%), interactive voice response (22.9%), phone centers (21.6%) and electric statements (24.7%).

Phone centers that employs humans thwarts thieves, since an account or other change must go through a real representative and not just a computer, which Harvey refers to as a “picket fence” defense. The “stone wall” defense is an aggregation of all defenses stacked together, he says, not just one or two.

Financial advisors should be very concerned about the cyber defense of their broker-dealers and other institutions that hold client assets, such as investment firms, insurance companies and record-keepers, Harvey points out.

“Advisors have a role in all of this. The advisor is going to be called to account if something in fact goes wrong. If a client turns assets over to an advisor, the advisor puts them somewhere, and they get [stolen], the client will blame the institution, but doesn’t the advisor have complicity for having it [at that broker-dealer or other firm] in the first place?” he asked.

His answer is “yes.” Advisors generally believe that client assets are safe thanks to the diversification of their investments, “but are you [diversifying the] institutions you use [for cyber defense]?” the Dalbar executive inquired.

Other Research

According to a recent study by the American Institute of CPAs, eight in 10 Americans are concerned about the ability of businesses to safeguard their financial and personal information, and three in five say they or an immediate family member have been the victim of some scheme to defraud them, ranging from a letter or phone call from someone impersonating an IRS agent to someone opening a line of credit in their name.

In late March, New York Attorney General Eric T. Schneiderman released a report stating that there were 1,583 data breaches reported in New York State in 2017, exposing the personal data of 9.2 million New Yorkers — four times the number impacted in 2016.

To prevent the loss of investor assets, advisors need to question their BDs about to their cybersecurity practices. “It should be a part of every RFP,” the Dalbar chief explained.

Though many firms have been hacked for clients’ personal information, it will take a major financial loss to move the bar. “It seems to me that once we have an ugly scandal with money lost as opposed to personal information [being taken], this will get people’s attention,” said Harvey.


The key findings of the Dalbar/ThinkAdvisor survey on how firms use certain authentication practices are listed below; a mark (X) in the Usual Practices column means more than a-third of respondents use the practice and therefore it is considered usual.

IDAuthentication PracticeNumber Responding% in UseUsual Practice

1Username/Password for identification  294 54.1%X

2Confirmation process for changing username/password/email  29447.6%X

3PIN for authentication  29419.7%

4SSN for identification or authentication  23830.7%

5Two Factor Authentication – a process that involves both: Factor 1 – information that the user knows (like account number) and – Factor 2 – something that they have (such as a token) or a separate channel (such as email or text message)  28225.5%

6Multi-tiered authorization (i.e. Tier 1- Account info; Tier 2- Personal data/transactions)  22833.8%X

7Personal security questions  28241.8%X

8Separate on-file medium for authentication (phone/email/etc.)  28236.2%X

9Voice ID  2829.6%

10Fingerprint  17615.9%

11Facial Recognition  1763.4%

12Other biometric (please specify)  2260.0%

13Patterns in login history to alert for possible risk   7828.2%

14Detection of change to flag possible risk (Device/IP address/etc.)  17634.7%X

15Challenge-response test such as Captcha  2269.7%

16Changes in volume mix of activity  22423.2%

17Same IP address in activities in other accounts  12020.0%

18Terminate session after timed period of inactivity22459.4%X

193rd party user management/authentication solutions28022.5%

203rd party fraud prevention solutions  28030.7%

21Procedure for undelivered email  28038.6%X

22Procedure for undelivered standard mail  28051.8%X

23Procedure when there are no logins for an extended time  22419.6%

24Procedure for multiple failed logins  22463.8%X

25Temporary password for immediate access  22441.1%X

26Ability to cancel, replace and communicate password if account is compromised  28056.4%X

27Password expiration after a period of time or set number of uses  22423.2%

28Multiple source verification for transactions (i.e. advisor and client)  22627.0%

29Restrictions on transactions that could be used for fraudulent purposes (address/registration change, etc.)  22653.1%X

30Limit access for high profile accounts   28022.5%  MORE