Other than perhaps your home equity, your investment accounts, including your 401(k) and other retirement accounts, are likely where most of your net worth resides. What happens if these accounts are hacked?
Here’s this week’s question:
With all the hacking going on whether large or small, how would a person’s IRA, 401(k) or pension be affected if hacked? Are there protections in place for the holder of these accounts?
You’d assume you wouldn’t suffer a loss if someone fraudulently withdrew money from any type of account, whether bank, brokerage, credit card or retirement plan. But that’s not the case.
While there are laws that limit your losses if your credit or debit cards are compromised, there aren’t specific laws protecting you from cybertheft-related losses in your brokerage account.
If hackers gain access to your brokerage account by hacking into your firm’s servers, odds are good you’d be reimbursed. But if the cybertheft occurs on a more personal level, the outcome could be a lot worse.
Say you get an email from your brokerage firm stating your monthly statement is ready for review. You click the link within the email, which takes you to the login page of your brokerage website. You enter your username and password, check your balances and go on with your day.
But the email you responded to was fake. The website you were on looked like the login page of your brokerage account, but the site was a decoy designed to separate you from your login credentials. Now that they have your username and password, the crooks are in a position to empty your account.
Does the brokerage firm have to reimburse you? No. They could simply claim that you’re supposed to keep your login information secret and you didn’t. The fact you responded to a legitimate-looking email isn’t their problem. There’s no law requiring them to reimburse you.
A few months ago, the SEC examined 57 registered broker-dealers and 49 registered investment advisers. According to their report:
Written policies and procedures generally do not address how firms determine whether they are responsible for client losses associated with cyber incidents. The policies and procedures of only a small number of the broker-dealers (30 percent) and the advisers (13 percent) contain such provisions, and even fewer of the broker-dealers (15 percent) and the advisers (9 percent) offered security guarantees to protect their clients against cyber-related losses.
If you’ve got money with a brokerage or investment firm, step one is to see what kind of protection your broker offers in cases of cyber breach. Here are links to fraud policies of three popular investment firms:
As an example, here’s the language Vanguard uses to introduce its policy:
Our commitment regarding online security is simple. If assets are taken from your account in an unauthorized online transaction on Vanguard.com® — and you’ve followed the steps described in the Your responsibilities section below — we will reimburse the assets taken from your account in the unauthorized transaction.
Sounds good. But what exactly are your responsibilities? Here are the highlights.
You can review the details under each of these headings on their policy page, but you get the idea. Unlike with a credit card, when it comes to investment accounts, you’re not off the hook simply because someone hacked your information. You’re responsible for keeping your account safe. Also worth noting is the fine print at the bottom of the policy page, which reads in part:
This protection does not apply to unauthorized activity caused in whole or in part by your fraudulent, intentional, or negligent acts or omissions, including activity by a person whom you have intentionally or negligently permitted to transact in your account, or to whom you have intentionally or negligently given access to security information relating to your account. This protection does not apply to unauthorized account activity or account access by an employer or plan sponsor representative who is authorized to access your account but is acting outside the scope of his or her authority.
In other words, if you negligently allow someone to obtain your login information, the guarantee doesn’t apply. (And who decides what constitutes negligence? They do.) Nor, in the case of retirement accounts, does the guarantee apply if your employer or plan sponsor rips you off; something completely beyond your control.
This lack of investment firm accountability is frightening, particularly in light of the potential money involved and the amount of online fraud that’s occurring these days.
The SEC put out an investor bulletin called Protecting Your Online Brokerage Accounts from Fraud that every investor should read. Here are the steps they suggest:
Click the link above to get more detail on their suggestions. Other sites to review include the SEC’s Online Brokerage Accounts: What You Can Do to Safeguard Your Money and Your Personal Information, FINRA’s Protect Your Online Brokerage Account: Safety Should Come First When Logging In and Out and the FTC’s Tips for Using Public Wi-Fi Networks.
Bottom line? Your investment accounts don’t carry the same legal protections as your credit cards, and they’re likely to contain a heck of a lot more money. Take the necessary precautions.
Courtesy of MSN