While investors worry about important known risks, one little discussed amorphous risk lurks in the background that could do great damage to portfolios, and potentially to the standard of living for those who have completed the accumulation stage of their financial lives. That risk is a catastrophic level of cyberattack on financial institutions.
Top worries in the news are generally (1) European nations defaulting and their banks failing, (2) the United States digging itself into a deeper financial hole, and (3) the ability of China to continue to grow rapidly in a world of slowing economic growth at the same time that they have overbuilt much infrastructure with loans from banks that may not be able to be repaid.
The top worries are ones that are well known and that have substantial probabilities of developing in a way to overcome the good things that are going on. They are visible and evolving risks. Cyberattack, on the other hand, is an invisible and essentially sudden and unexpected, but much lower probability, event that could have massive negative impacts on financial markets and investment portfolios.
If you have full faith in the ability and preparation of your government and your financial institutions to thwart a financial cyberattack, even one mounted by a well funded, well prepared, state or terrorist adversary, then there is nothing to worry about. However, if you do not have that faith, and have noticed the increasing level of news about successful hacks of government agencies and important websites, then you might consider thinking through how you might prepare for the worst.
If you are the kind who has a generator in case of a power failure, extra batteries, flashlights, a battery powered radio, bottled water and some canned or dried food on hand in the event of a storm that knocks out power to your community, then you might also think about simple things you could do to reduce your risks in the event of a successful cyberattack on your financial institutions.
Just imagine if the ID and passwords for your broker or mutual fund organization no longer worked, or they could not verify that you are a client, or if their computers think your assets are quite different from what you know to be true.
Imagine if when you went to the ATM for cash, it said you have none, but you really do. And imagine, if because of an interruption in availability of investment assets for living purposes, your credit card said your limits were exceeded when you know you have no balance at all? That would make a week without electricity after a storm seem like a piece of cake
A cyberattack would be a low probability "left tail" event, but one of potentially great impact. An attack could well be intended to scramble custody data, spook markets into a steep drop, potentially cause some financial institutions to fail, and creating a long period where you do not have access to your assets or the income from them because of uncertainty as to who owns what.
An ideal sort of war might be one where nobody gets killed on either side, plant and equipment is preserved, but one side is brought to its knees by simply causing complex systems to stop functioning -- turn off power grids, shut off communications systems, and scramble the data that makes digital money move or that randomizes asset ownership records.
If MF Global was able to lose track of billions of customer money and perhaps ownership data in a short period of incompetence (or criminality), imagine what a professional hacking organization funded by a determined terrorist sponsor or nation could do with years of practice and preparation.
It probably won't happen, but it could. If it did, have you done simple things to minimize the damage to you?
To take this article out of the sphere of UFO watchers and BigFoot believers, consider this quote from The Economist on December 31, 2011:
Financial terrorism, The war on terabytes
… it is easy to overlook the threats it [securities markets] faces from outside. High among them is electronic attack. ... Bob Greifeld, the boss of NASDAQ, has described his bourse as being under “literally constant attack”.
Leon Panetta, America’s defense secretary, has suggested that a cyberattack on financial markets, the power grid and government systems could be “the next Pearl Harbor”.
In a move that received surprisingly little attention, Barack Obama signed an unprecedented executive order in July declaring the infiltration of financial and commercial markets by transnational criminal groups to be a national emergency. It also pointed to “evidence of growing ties between [these groups] and terrorists”.
In a sign that Congress, too, is twitchy, its latest appropriations bill calls for a report into the risks posed by financial terrorism.
Here are some simple things you can do to reduce your risk. Some are quite inconvenient, while others take minimal effort. Considering that your life savings or the continuity of portfolio income may be at risk, these mitigation measures may be worth considering.
Use anti-virus and anti-spyware software on all of your computers (are banking and investing "apps" on tablets and mobile phones as secure as using a virus and anti-spyware protected computer? -- we don't know, but have our doubts)
Don't open banking or investment accounts by links in emails (which could be malicious) -- always access your online accounts by going to them through your browser or dedicated software
Save trees if you wish by going paperless, but download PDF files of your monthly statements and back them up locally and remotely -- you will be required to provide proof of your account and your holdings in the event of an institutional failure (and maybe a cyberattack)
Use a bank that provides daily email notices of your balances so you have fully up to date records of assets there (create an email folder and drag and drop them in)
Save email confirms of trades at brokerages or mutual fund organizations at least for a month, so you have intra-month records of your holdings between monthly statements (create an email folder and drag and drop them in)
Set up your local and remote backup to include your email folders (not all your emails, just the ones you have chosen to save for records purposes)
Now here is the really, really inconvenient tactic, but a potentially quite beneficial one --- keep your money with more than one institution. Simple to say, but extra work and effort to keep records, move money around and manage assets. However, a cyberattack is less likely to be successful against all institutions than against one or some.
If you diversify asset classes to reduce risk, and diversify securities within classes to reduce risk perhaps diversifying where your money is held reduces risk as well.
A Very Simple Model:
Have one brokerage or mutual fund account and one bank FDIC insured money market account with electronic transfer between them set up.
Keep your money market assets with the bank and your risk assets with the broker or mutual fund organization.
Instead of the convenience of a sweep money market account with the broker or mutual fund organization, you have to transfer cash from the bank to broker or mutual fund organization to buy risk assets; and you need to transfer sale proceeds from risk asset sales to the bank.
That is not really too hard, but it has some strong advantages. The FDIC (for the bank) is a lot quicker and a better quality guarantor than SIPC (for the broker), or some kind of Lloyds-like cover that may apply to the mutual fund organization.
SIPC is an industry self-funding organization. FDIC is government-backed. Lloyds is backed by the "names at Lloyds" -- good for ordinary losses, but in a system wide meltdown, the "names" might not be able to access their capital to fund the insurance payments. That is also why you have to take the Lloyds cover in excess of SIPC at brokers with a little bit of salt. Lloyds does not have the capacity to pay claims on a system-wide failure, and the limits carried by brokers are a very small fraction of their total client custodied assets (example Fidelity's aggregate Lloyds limit is $1 billion, Schwab's is $600 million, and TD Ameritrade's is $250 million).
If you are single, you can protect $250,000 on the bank side with FDIC (additional amounts would not be FDIC insured but could still be put in the bank to create custody diversification).
In a more complex transfer web, If you have a joint account, you can have three FDIC insured accounts at a bank connected to one brokerage or mutual fund account generating up to $750,000 of FDIC protection. Alternatively, you could have single accounts at more than one bank to create the same effect.
Farther out on the risk avoidance scale, it might be arguable that second or lower tier banks might be less likely to be individually targeted in a cyberattack. XYZ credit union or ABC community bank might be missed in a cyberattack aimed at the largest banks. Attackers would likely go for the most bang for their buck, and unless they could shut the whole thing off, they would most likely go for the systemically important banks.
With brokers, we would still be inclined to stay with larger, top name houses, due to the quality and scope of services, and probable reduced risk of a total management failure (or worse) as in MF Global.
A More Complex Model
Have two or three brokers or mutual fund organizations custody your risk assets, and utilize more than one bank to store money market reserves.
For example, to keep it from getting more complicated than necessary, you might keep fixed income assets at one broker and stock assets at another. That might reduce the frequency of asset transfer between them, while reducing the risk of one broker melting down in an attack and freezing all your assets.
Money Market Choices:
Right now with money markets paying virtually nothing, it makes sense to use a Treasury money market as opposed to one that can invest in credit risk paper. All you do by exposing yourself to breaking- the-buck with the credit risk money market fund is reduce the profit drain on the sponsor/manager. If Treasury money market and credit market money funds have the same yield, it's pretty much a no-brainer to use the Treasury-based funds.
Similarly, bank FDIC insured money market accounts are a better risk than a Treasury money market fund at a broker, because the value of the FDIC insured money market is guaranteed, while the value of the broker held money market (Treasury or otherwise) is not.
Treasury short-term paper is entirely unlikely to cause a fund to break-the-buck, but inappropriate or negligent behavior by the manager could.
Don't Get Confused About Brokered CDs
Brokered FDIC insured CDs are not as protected as an FDIC CD acquired directly through the bank. A brokered FDIC insurance CD is guaranteed by the FDIC to be worth its stated value, but if the broker melts down, the brokered CD is a custodied asset held by the broker and comes under the SIPC process.
The FDIC is fast in resolving and restoring accounts, and SIPC is slow by comparison.
Practical Limits To Acceptable Complexity:
For investors with wealth in the realm of $1 million to $2 million, a small electronic transfer connected network of institutions can keep all assets under the $500,000 SIPIC and $250,000 FDIC per account limits; avoiding the uncertainties of the adequacy, timeliness and ultimate acceptability of protection under aggregate limits from Lloyds or some other private excess insurance provider.
For investors with substantially greater wealth, there is a practical limit to how many brokers, mutual fund organizations and banks a person can deal with. There is more to life than risk management. However, splitting assets to some degree could prevent a lifetime accumulation from being tied up or lost in a single institutional failure.
Cyberattack Risk Management Thought Experiment:
It might be worth an hour of your time to think through the administrative and risk management pros and cons of a basic model something like this:
an account with Broker A (for stocks or actively traded assets)
an account with Broker B or Mutual Fund organization C (for bonds or longer-term holdings)
a money market account with Bank D (for spending reserves or temporary cash holdings pending re-risking)
an electronic transfer set up between them (at least to and from the bank and the brokers or mutual fund organizations, or a link between the brokers or mutual fund organization themselves, as well as between them and the bank.
This approach gives you maximum flexibility and no set requirement to hold significant assets in any of them. You have the facility to move assets between them when you feel it is prudent and otherwise they can stay dormant except for minimum required holdings in those you are not actively deploying at the time.
There are variations on the theme, but it might be useful to think this through, as you may have thought through storm outage or hurricane evacuation plans at home.
What About Investors With A Lot of Money?
Let's take the case of an investor with $10 million to invest instead of $1 million.
The $1 million investor can achieve full insurance coverage from SIPC and FDIC with the basic model or something similar, as well as achieve custodial diversification.
The $10 million investor cannot achieve full SIPC and FDIC insurance coverage with the basic model, however they can still achieve custodial diversification, which could be quite valuable as a standing allocation, or for a quick reallocation among custodians if things started falling apart and time permitted to adjust.
Without a pre-authorized electronic transfer set-up, transfers would require downloading forms from websites that may not work (or getting paper from offices that may not be near), completing them and mailing or faxing them for manual processing (which may be delayed due to the same causes that prompt the investor to want to quickly reallocate). Pre-authorized electronic transfer is the preferable path when you want to move money between custodial institutions.
The $10 million investor can create more protection with more institutions, probably most easily accomplished for emergency purposes by setting up money market savings accounts with several banks and linking those banks by electronic transfer to one core bank.
Some might say just use multiple advisors, and that is not a bad idea, but just make sure they are not all on the same brokerage platform. If the $10 million investor spread the money among three advisors, but two or three of them are on the same broker platform, there would be less or no custodial diversification.
Unless the advisor were working with Limited Power of Attorney on the investor's retail accounts, the multiple advisors would not provide the rapid reallocation capability that a cyberattack meltdown might make attractive.
Do-it-yourself investors can do more in the diversification and rapid redeployment arena than those using advisors who have custody of their assets.
Risk Management Thought Experiment:
Once again these are just thought experiments, that may result in a decision that no action is necessary, that cyberattack risks are not significant or that the complexity is just too much. Nonetheless, it is better to have considered the issues and have decided to do nothing, than to be unaware of the issues and have done nothing by default.
Disclosure: No securities were named in this article.
Disclaimer: This article provides opinions and information, but does not contain recommendations or personal investment advice to any specific person for any particular purpose. Do your own research or obtain suitable personal advice. You are responsible for your own investment decisions. This article is presented subject to our full disclaimer found on the QVM site available here.
