Is your money really safe in an investment account? I’ve previously wondered about that. Any astute person would.
Giving thousands, hundreds of thousands, or millions of dollars to an investment brokerage can be a scary proposition. Doing so requires a little bit of a leap of faith. What if that broker fails and its business goes under? Or worse yet, is physically destroyed?! We’ve all got very important retirement plans, damn it!
And with all of the high profile hacking cases lately, how can you, or I, or anyone really prevent our investment accounts from being hacked?
Fortunately, there are plenty of protections for you that are designed to keep your money safe in an investment account and, at a wider scale, provide the the protections necessary for investor confidence in financial markets. But let’s go through each potential loss scenario.
What if My Investment Account Gets Hacked?
The Russian email hack of John Podesta, Chairman of the Clinton 2016 campaign, provided a very high profile reminder that bad people want access to your accounts – and occasionally they get it. If a seemingly cautious and intelligent individual like John Podesta can get hacked, with so much at stake in an election, what is keeping you or I safe?
Fortunately, the Podesta disaster provides some good lessons on account security that can be directly applied to your own email, bank, and investment accounts. The last thing you want is someone impersonating you logging in to your account and wiring money to a bank account in Ukraine.
It is believed that a phishing email with a link instructing Podesta to change his GMail password is what led to the hack. Lesson: don’t click on links to your accounts from email. Ever. Just don’t do it – even if it looks legitimate. In fact, avoid clicking on any links in your emails. Even if password information is not voluntarily given by you, malware could be installed directly to your computer from the site you visit, which can log keystrokes (i.e. passwords) and more. And for that matter, avoid opening attachments as well.
Not clicking on malicious links, attachments, and/or visiting shady websites goes a long ways in keeping yourself safe. But what if your password is stolen in some other way that you don’t have control over (i.e. from the broker’s database itself, similar to the massive Yahoo security breach)?
There’s a simple solution for that: set up 2-factor (aka 2-step) authentication and tag your devices. 2-factor requires recognition of a device you’ve tagged upon login, in addition to your password. Even if a hacker were to have access to your login and password, they would still need to log in from your personal device in order to get access to your account. With this requirement, 2-factor eliminates all but a very small group of people who have access to your login, password, AND device from being able to access your account. For me, that universe of people is 1 person – me.
Had Podesta had 2-factor authentication, it is highly likely that he would have been hacked. I’ve personally set up 2-factor on all of my email, investment, and bank accounts. If there is an account that you wouldn’t want someone else having access to, I would recommend you do the same. If your broker doesn’t offer it, find a better one.
Also, check out my article on how to protect your identity in an unprotected world for further tips on keeping hackers out of your account and what to do if they do gain access.
What if my Brokerage Fails?
The possibility of your brokerage financially going under and losing all your hard earned dollars is an entirely different ballgame from hacking, obviously. But it’s one you should not be afraid of.
The SIPC (the investment version of the FDIC) insures investors with major brokerages up to a ceiling of $500,000 per customer per account type, including a maximum of $250,000 for cash claims. Additionally, many brokers go above and beyond SIPC protection by purchasing additional insurance to instill confidence in customers. For example, Vanguard’s asset protection coverage states:
“Vanguard Marketing Corporation has secured additional coverage from certain insurers at Lloyd’s of London and London Company Insurers for eligible customers with an aggregate limit of $250 million, incorporating a customer limit of $49.5 million for securities and $1.75 million for cash.”
That’s a lot of coverage.
Also, it’s worth nothing that, under the regulation of law, investor assets and the investment broker’s business assets and liabilities must be kept separate. In other words, they are not allowed to transfer your assets to cover their financial issues. This should theoretically limit the need for insurance in the first place. In practice, this works too. For example, in the catastrophic Lehman Brothers bankruptcy case, 100% of the $38 billion in investor asset claims were recovered and transferred directly to those investors without the need for SIPC funds.
What if my Brokerage is Physically Destroyed?
A third potential cause for concern could come from the investment brokerage itself going up in smoke (literally). What if a fire, natural disaster, cyber attack, or terrorist strike were to wipe out your assets, somehow?
Every broker (and bank for that matter) should have a business contingency and disaster recovery plan. If yours doesn’t – again, find a better one.
“- Business contingency plans. Vanguard designs specific, formal plans to respond to a range of incidents—from worst-case scenarios, such as loss of a data center, buildings, or staff, to occurrences such as power outages or excessive phone volumes. These plans are regularly tested and updated to accommodate changes in contingency requirements.– Data security and recovery.Data security is, of course, a top priority. To mitigate computer virus attacks andother acts of cyberterrorism, we have implemented controls monitored by a dedicated team of information security specialists. We also maintain a network of redundant systems, off-site data storage, and off-site tape vaults to ensure that all source data are recoverable in a disaster.– Business contingency tests. All contingency plans undergo rigorous testing, ranging from comprehensive evaluations of a variety of emergency scenarios to full-scale drills in which we close a building and conduct business from a remote location. We also periodically conduct mock disaster drills with the cooperation of local, state, and federal authorities. We conduct integrated tests with critical vendors to validate our ability to work together during an emergency. In addition, our Information Technology division frequently performs disaster recovery tests to gauge how quickly we can regain our systems in the event of an emergency.”
You’re never going to know exactly where and how many redundant systems, off-site data storage centers, and off-site tape vaults a broker has, for obvious reasons – but what better options do you have? Your assets have to sit somewhere, and a broker with redundant systems is likely far safer than under your mattress, in a hole in your back yard, or even at a local bank.
My advice on all this stuff is that you take proper safety precautions that I’ve outlined here, find a legitimate broker, and then focus your energy and thoughts on having a good passive investment strategy with a diversified asset allocation. That is the best you, I, or anyone can really do.