LPL and its vendor Capital Forensics, Inc. continue an investigation into a data breach that occurred on Nov. 1, where one of Capital Forensics’ third-party platforms was attacked. While the exact details of what happened are still being sorted, the breach, which Capital Forensics said was contained within six hours of its occurrence, exposed the personal information of some LPL advisors' clients.
But it affected more than just LPL.
Weeks after the hours-long breach, Capital Forensics, which administers the broker protocol agreement among more than a thousand firms, has limited its public response to a few sentences. A “small number” of clients were affected by the attack, according to the statement, but there was no indication of how many records were compromised. A company spokesperson couldn’t provide an exact number of companies that were impacted, noting that “outside legal counsel and forensics experts” were working with authorities to piece together exactly what happened, in the face of the breach occurring over two weeks ago.
Despite being unable to publicly enumerate the clients affected, Capital Forensics said that “all affected clients have been notified.” The firm has also refused to publicly name the vendor system it uses that may have been the point of vulnerability, stating that it was a “secure third-party platform.”
The lack of public transparency could be endangering other financial services firms, said Sharron Ash, who handles issues such as commercial litigation as the chief litigation counsel at the Hamburger Law Firm. “Part of the benefit of publicizing data breaches is that it gives others an opportunity to look at their own systems. It gives others an opportunity to try to get ahead of other breaches,” she said. “The more information we all know about these breaches, the more firms can protect themselves and protect their customers from future breaches.”
There’s a real risk that Capital Forensics is further damaging its reputation by holding its cards close, said Ash. There are over 1,800 financial services firms that interact with the company after it took over the administration of the Broker Protocol in January. The breach occurred despite the firm’s hiring of two former chief compliance officers this year, one from Raymond James and the other from J.J.B. Hilliard, W.L. Lyons, LLC. The firm provides data analysis, expert testimony, litigation support and regulatory consulting for a range of clients in financial services, including other broker/dealers, banks, insurance companies and registered investment advisors.
How a firm handles a breach can have a big impact on how it’s viewed in its industries and by its customers. “How many folks do you know that no longer really want to pull out their credit card at Target?” asked Ash, pointing to the retailer’s 2013 data breach and its impact.
The breach is creating headaches for advisors, too. While the breach is still under investigation, advisors whose clients were affected were notified by LPL before letters to clients were sent out. This gave advisors enough time to reach out directly to clients and discuss the breach and its ramifications, said Jamie Cox III, managing partner at Harris Financial Group in Richmond, Va. He had clients that were affected by the breach and praised LPL’s efforts to support its partners.
“LPL has done everything humanly possible to assist us in this process. That’s to their credit,” Cox said. “This is not LPL’s fault.”
Another advisor with clients affected by the breach, Stacy Bush, president and founder of Bush Wealth Management, LLC in Valdosta, Ga. filmed a video recording for his clients, explaining what happened. He also had a favorable impression of LPL’s response and transparency, noting that the firm sent advisors a list of exactly which clients were affected, along with talking points providing information to those affected.
In a statement, LPL noted it had “immediately implemented procedures to protect our financial advisors and their investor clients” upon learning of the breach. The company said its own systems were not compromised and that it took immediate steps to remove LPL data from a file sharing system used by Capital Forensics. It has also launched an investigation to understand what happened.
Breaches in the banking, credit and financial sector are becoming more common, according to nonprofit Identity Theft Resource Center. The organization identified 134 breaches in 2017, up from 51 the year prior. Hackers produced the majority of last year’s breaches across all sectors, but there were still over 110 incidents of breaches that occurred as a result of subcontractors or third parties. Last month alone there were five breaches that had occurred in the banking, credit and financial sector, according to the organization.
The breach should be a wake-up call for advisors, said Cox. “It highlights for advisors the importance of protecting information, because we take for granted that the information is secure. We do everything we can to make sure of it.”
It should also signal caution for independent advisors who don’t have the backing of a firm like LPL, said Ash. “They need to be, not only developing those policies and procedures, but then observing them, periodically testing them and making sure that they have covered their vulnerabilities,” she said. “Cyber security and data breaches continues to be an area that is an ever-increasing threat.”
There are regulatory considerations, too. Voya was hit with $1 million penalty by the SEC for its cyber weaknesses that affected 5,600 clients. There will likely be a regulatory inquiry into this data breach as well, said Ash.
While no company wants its partners, employees or advisors to have to broach the topic of compromised data, there’s a lesson in this breach, said Cox. “It’s not about whether your information is taken or stolen. It’s how the firm responds to it that really matters,” he said. “All financial services firms have one currency, and that’s trust.”