Menachem says we constantly keep our networks and systems updated. We work closely with a third-party partner to run diagnostic tests, keep an eye out for suspicious activity and solve technical issues. Furthermore, we run monthly phishing tests to make sure employees know not to click on suspicious links.
Menachem also suggests being intentional about creating and maintaining passwords. There are password managers like 1Password, which you can access with one master password while it generates various strong passwords for different accounts. Chris also recommends creating a different email account for your financial accounts that is separate from your personal email.
Furthermore, Menachem says it is a requirement in the financial services industry for advisors to monitor all substantive business communications; therefore, WhatsApp and iMessage are not viable ways to communicate with clients because they are not subject to archiving and monitoring. We stick to methods of communication like email, calling and an approved way to text clients that improves convenience while still adhering to guidelines and protecting sensitive information.
Watch previous episodes here:
Hello, everybody, and thank you for joining us for another episode of THE FINANCIAL COMMUTE. I'm your host, Chris Galeski, joined by Chief Compliance Officer and Partner here at Morton Wealth, Menachem Striks. Menachem, thank you for joining us.
Thanks, Chris. Pleasure to be here. Thanks for having me.
We're going to go off topic a little bit, not talk necessarily about investments or what's going on in the markets or the economy, but talk about discuss a topic that many clients want us to be on the lookout on how to protect them. And that's cyber security. It comes up from time to time. There's a lot of fear on ways that we can protect ourselves.
So I'm looking forward to having this discussion with you.
Yeah, me too. Excited. I think, like you said, it is kind of a scary word, but I think with a little bit of information and hopefully some good practical tips, we can make it a little less scary for our clients.
I agree. And I'm glad that my primary role is being an advisor and I don't have to worry about protecting our organization and all of our clients from cybersecurity. But that's something that you focus on a lot. Why don't we start with how Morton Wealth is protecting our clients with regards to cyber security? I know advisors have a lot of information at their fingertips and it's important that we start first with how the company can can protect clients.
Sure, absolutely. And like you said, you know, we have access to a lot of our clients assets, obviously, but almost as important is access to their information. And so we want to make sure that we're doing as much as we can to protect them. And so on the more technical side of things, we always are making sure that, like our networks are secure and our software is up to date, we work closely with a partner that runs all those diagnostic tests in the background.
And makes sure that nobody's logging in from like a weird IP address that we're not aware of or some anomalies. And like the data flows, all those kind of technical things that I'm not an expert on. I rely on them heavily. And we're, you know, in constant communication around the results of those tests, so they, they're doing a lot of work kind of in the background to make sure that our network is secure and our software is up to date.
Has that changed a little bit now that we have somewhat of a hybrid work environment and there can be people that, you know, log in from, I don't know, Hawaii or Tahoe or Arizona or wherever when they're on vacation?
Yeah, it has. And I think now we're kind of most of us are back in the office, so there's a little bit less of that. But it was, I think, a little bit challenging for them when we were all remote. The good news is for us, I think we were sort of concentrated in Southern California. So they're really looking at more if it's coming from Eastern Europe or some other nation state that maybe we should be suspicious of.
That's more what they’re looking out for.
That's good to know. And then from time to time here in the organization, we get those tests or those, hey, aha, surprise. We ran an audit of our company. Talk to us a little bit about, you know, how you work with our third party teams to see where we're vulnerable.
Sure. Yes. We're kind of always trying to keep people on their toes and making sure that everyone's, you know, using some caution. And so every month we run what's called a phishing test where, you know, you'll get those emails that are kind of a little bit suspicious looking. You're not sure. I got a FedEx package waiting for me or, you know, I need to reset my Microsoft credentials and they're sent out by our cyber security partners and they can give me a list of who's clicked on to those emails, who's put in their credentials.
Hopefully those list of results is pretty small and we've been doing a great job. But, you know, there's always room to improve and we always want to keep people on their toes.
But those phishing emails have gotten very, very good. I know I've got family members or friends that you know, have been exposed or, you know, fallen for those types of traps. You know, the logos look good. The you know, it's pretty easy to go, oh, you need to update your password and you click on a link.
They've gotten a lot better. So we have to be careful.
Yeah, for sure. And I think that's always sort of the name of the game is just using caution. I know we're inclined to sort of rush through things and try to get through our email list or to do list and just kind of slowing things down, taking a beat, looking at it, making sure that everything is legit before you click on something is sort of a good way to go.
Thanks, thanks Menachem. And you know, when we're talking about cybersecurity, obviously, as a company, we're making sure that we're working with our third party partners to test our system, make sure things are up to date, even running tests to make sure our employees are aware and can spot things. The fun part is how can clients best protect themselves?
I know myself personally got a thousand usernames and passwords it feels like, and you definitely don't want to make them all the same. So how can clients help protect themselves?
Yeah, sure. And I think that like you hit on it really is passwords I think is sort of the most important way for clients to protect themselves. And like you said, we don't all have unlimited brainpower to remember a million usernames and passwords. And sort of the easy solution is to use your Netflix password for your banking app or something like that.
And that's obviously something that we want to avoid. And so a really good solution for that is using a password manager. We have a couple that we like. One is called 1Password. So the number 1 and then password or there's a bunch of other options out there. But you basically only have to remember one master password, you make that a really strong password, but then once you have that, it can store all your passwords across, all your devices can generate really strong, unique passwords.
So it'll give you that extra layer of security, hopefully without too much brainpower and only having to remember one password.
The nice part about leveraging a software like 1Password is that it's a pain point to go through and do it. But once you've done it, you at least have all your information in one spot. And if you're working with a family member to say, Hey, if something ever happens to me, here's how you get access to it.
It can potentially help you make things easier if you need some assistance, right?
Yeah, absolutely. I think obviously you want to make sure that you protect that master password, but there's ways to, you know, transfer it if need be. Like you said in a if there was a family transition or something to make that transition a little bit easier. Yeah.
So Menachem, when I think about all of the different ways we can protect ourselves, I mean, the list goes on and on from making sure you have a separate computer to only log in and do financial stuff and, you know, don't use Google or X, Y, Z, maybe even, you know, there's advice to create a separate email account that is only for your financial stuff as opposed to your personal one.
So that way when you're filling out those surveys or you know, signing up for rewards at Target or Starbucks, you're not using that same password. So that way it's more protected, to even creating like a core for all of your passwords to where you just build on top of it. You know, let's say it's a couple of numbers, a word and then a couple numbers and then, you know, Netflix and use that same core.
But then depending on the website, maybe you adjust that last part. What are your thoughts about people using a different email address just for financial accounts?
Yeah, I think that's great. That's a great solution. If you can do it. I think sort of you have to balance the convenience versus security factor. And for a lot of people it's just a really inconvenient and a headache to have to set up another email and use that only for, let's say, financial or medical information. So I think as much as you can, there's ways to protect yourself while still sort of maintaining a level of convenience.
You touched on it, passwords, right? Just having some solution to manage all your passwords I think is super important. Emails, another huge one of just being mindful of what you put in email and obviously, you know, not sharing sensitive information in the body of an email. But I think now we're at a point where a lot of times you'll be able to either upload your information to a secure link, right?
We have all of our team members have in their email address a secure link. You never have to email a Morton team member, you know, your tax return as an attachment. So even as much as possible, just keeping stuff out of your actual email, I think that somewhat negates the need for like a secure separate email. But again, some people maybe feel more comfortable with that and that's great.
Just trying for everybody else to balance that convenience versus security.
Using that secure link is a great way to go in terms of communicating in a way to where we're securing the data, but even leveraging our portal. What I like about our portal is it's, it's a separate system than the custodian like Fidelity or Schwab. And so even though you can get in key pieces of information through our portal, you can't really transact on it.
You can't, there's no money movement feature or anything like that, not like a Schwab or Fidelity. But you also have, you know, the vault or the documents that you can upload and download from there to help protect or have secure communication as well.
Yeah, absolutely. I highly encourage all of our clients to be using our portal. I think you hit on it the ability to share documents securely both ways, right? We can share documents with clients and they can share with us and then have the ability to view all their accounts. But again, like you mentioned, just have that information without have any of the other pieces like the money movement or anything tied to it.
So let's talk about communication, because you touched on it briefly there for a second in terms of how we communicate with our clients. Like why shouldn't we be using things like WhatsApp or other types of ways to communicate? Why is it still important that we still use email and phone direct?
Yeah, absolutely. I think, you know, it's something that's brought up a lot and nowadays there's so many ways to communicate, right? And I think maybe people of a certain generation like would prefer to never have a phone conversation and only text with their advisor. And so again, we want to obviously balance that. But part of being in a highly regulated industry like ours is that there's certain requirements that we have to adhere to, and one of those is a recordkeeping requirement.
So all registered financial advisors have to maintain and monitor all of their substantive business communications. So something like WhatsApp or I message on your iPhone, right? It's kind of a black box. There's no way to, it is encrypted. So it's more secure in that regard. But then it's not subject to archiving and monitoring. And so that, the SEC and I think all of us in this industry feel that's important to preserve market integrity, right? We don't want people communicating through daft channels that’s not being monitored. And so we just want to make sure that we're sticking to our approved channels. We do here have an approved solution for texting. So trying to make it easier for advisors to communicate with their clients that way, but really trying to stick with our approved modes of communication, even though there are plenty out there that are maybe more convenient.
And that's a really good point in terms of there are so many different ways that we can communicate. But if a client needs to transfer money or do some sort of financial transaction, that's not through something that's already established, like your bank account to your own personal stuff, that we send money monthly, if they want to do a transaction that's separate than that, we will actually pick up the phone and we will call our clients and we will verify the routing number, the account number and the details and speak to them physically.
If somebody is trying to close escrow on a new house, we will call the escrow company directly and verify those transactions. So we're going we're taking a couple of extra steps. It might be inconvenient from time to time, but we are taking some extra steps to help protect our clients.
Yeah, and for sure, that's important for our clients to know. Like this is something that we're doing to protect them and it might be a little bit inconvenient. Like you said, but super important to make sure that they're being protected.
Menachem, we talked about a lot today, so let's try to summarize and please fill in the details. But as a company, we're trying to protect our clients by working very closely with our third party vendors to help protect the information that we have in our system. But also run continuous audits to check to see where we are vulnerable within our system and things that we can do to improve because the landscape or the world of cybersecurity changes very, very quickly.
Yeah, absolutely. I think the only thing I would add is like as much as we do on the technical side, really focusing on that human element. So we talked about the testing and the training, you know, really making sure that our people know what to do in every situation, is something that's also very important for us.
Great. And so then clients ways that they can protect themselves is, you know, be mindful of the passwords that they're using, both, you know, for Netflix and maybe their bank accounts, but try to leverage something like a 1Password, the number 1 and then password as a platform to keep track of all of the usernames and passwords that are out there, set up dual factor authentication as much as possible.
And so that's where when you're logging into a website, you need to enter a code or a text message. A lot of our custodians use that when you're on the phone with them, they say, Can I send you a text and read back that six digit code that helps protect or verify the end user. That's helpful. And then as much as possible, try to communicate securely either through secure email from us or through our portal or that secure link in our email address.
Yeah, absolutely. You got it.
All right, Menachem, thank you so much.
Information presented herein is for discussion and illustrative purposes only. The views and opinions expressed by the speakers are as of the date of the recording and are subject to change. These views are not intended as a recommendation to buy or sell any securities, and should not be relied on as financial, tax or legal advice. You should consult with your financial, legal, and tax professionals before implementing any transactions and/or strategies concerning your finances.