The Canadian Investment Regulatory Organization (CIRO) is sending notification letters to investors affected by the regulator’s August data breach, but it’s financial advisors who are addressing clients’ questions.
“It’s not [the regulators] facing the clients,” said Pat Doe, president and chief compliance officer of a dealer in Ontario. “Pat Doe” is a pseudonym; this publication agreed not to name the executive or dealer because it has an upcoming regulatory audit.
“It’s not [the regulators] who potentially can lose a client,” Doe said. “Being an advisor right now — it’s not easy to have these conversations.”
On Jan. 14, CIRO said about 750,000 Canadian investors were affected by the regulator’s breach, which was detected last Aug. 11 and resulted from a phishing attack. CIRO confirmed on Sept. 9 that registrants’ personal information was hacked.
The regulator said investors’ stolen data may include dates of birth, phone numbers, annual income, social insurance numbers, government-issued ID numbers, investment account numbers and account statements. The breached data was collected during the regulator’s “investigative, compliance assessment and market surveillance work,” notification letters say. The affected investors may be current or former clients of CIRO dealer members.
Dealers don’t have information on which clients have been affected by CIRO’s data breach, which leaves advisors ill-equipped to initiate client conversations.
The regulators “have provided us with the least amount of information possible to handle their loss of a whole lot of information,” said Geoff Whitlam, president of Research Capital Corp. in Toronto. “And that information belongs to our clients.”
Natasa Morfesis, senior vice-president, dealer compliance and chief compliance officer with Worldsource Wealth Management Inc. in Markham, Ont., said that in the case of market surveillance, the regulator can’t, with certainty, match affected clients with the associated dealers. Specifically, data from CIRO’s market regulation trading exams, which were among the hacked data, may not include dealer indicators.
“CIRO has made it clear to all of us [dealers] that they will not be communicating a list of affected individuals to the dealerships,” she said.
If a client has “ever done business with any other investment firm or online brokerage [or] bought mutual funds through their bank location, [the breached data] could have been from there,” Morfesis said.
That means a notification letter may not relate to a client’s current account.
Dan Hallett is principal of Oakville, Ont.–based HighView Financial Group. He and the firm are registrants of the Ontario Securities Commission, and a CIRO-regulated dealer has custody of client assets. If a client’s breached data is associated with a previous account at a CIRO dealer, what is the time period, Hallett asked — “the last year, two years, five years, 10 years?”
“It could be 10 years ago,” Whitlam said. “The CIRO [notification] letter doesn’t tell [clients] which firm is connected with the [regulator’s] loss of data.”
Why does CIRO have this data?
Whitlam further noted that date of birth, which is among the breached investor data, “does not show up in account statements or in market surveillance data or in trade confirmation slips.” Clients know why and how the dealer has such data, he said. “The questions we’re getting are not about how do I protect myself” because of a data breach. Rather, “clients are asking, what was the document that was breached, and why did CIRO have it in the first place?”
While the regulator’s notification letters inform clients of which data were hacked, clients want to know where the data were, “how did [the data] reside?” Whitlam said. As a dealer, “We can’t answer the questions that clients are asking.”
Doe’s dealer has 1,900 affected clients. Doe knows this number and who the clients are because in instances where CIRO can match affected clients and dealers, the regulator is asking dealers for the clients’ addresses (as needed) so it can send out notification letters, Doe said.
Why did CIRO keep information from past audits? Doe asked. As an advisor, “you can conclude for yourself [what client information was potentially exposed], and then navigate those conversations with clients,” Doe said.
The notification letters say CIRO has a regulatory mandate to protect investors from “improper investment conduct and practices by providing oversight of dealers’ business conduct, including their trading activities.”
“Even worse” than being unable to answer clients’ questions, Whitlam said, is that the letters leave clients wondering “what our firm or their advisor or they did which would result in the regulator gathering their personal information and storing it in their files.”
In response to a question about retaining historical audit information, an emailed statement from the regulator on Thursday said, “CIRO’s records are subject to legal and regulatory retention requirements, which vary depending on the type of information. CIRO has implemented policies and processes to meet its legal, operational, audit and accountability obligations, and we have committed to reviewing these policies in response to the incident.”
Further information on the regulator’s internal policies can’t be provided due to CIRO’s regulatory responsibilities, the statement said.
Morfesis said Worldsource is currently undergoing an audit. As the firm provides CIRO with requested information, the regulator confirms that it will destroy the information after review. “The confirmation that this data will be deleted is new,” she said.
Notification letters confusing
There’s also concern that clients who receive notification letters will think the letters are a scam, Doe said. Whitlam said one of the firm’s clients asked if the offer in the letter of two years’ credit monitoring was a scam to get them to open accounts with the credit bureaus at an introductory free rate.
Doe recently spent a big chunk of time creating a list matching the dealer’s clients affected by the CIRO breach with advisors, and also identifying clients’ current accounts or whether they are now former clients. That way, advisors can proactively contact those clients or prepare for contact from past clients — potentially before clients receive notification letters.
But even if advisors learn which clients are affected by the regulator’s breach, the notification letters raise questions that advisors likely can’t answer. Susan Howson, a portfolio manager with Research Capital Corp. in Toronto, said a letter to one of her clients was addressed with “or” added to the client’s last name. Howson assumes the letter relates to a joint account. The client called CIRO for clarification but hasn’t yet received it, Howson said. If the spouse is affected, they too should be offered credit protection services, she said.
Doe described a couple of confusing notification letters — one received months ago and one recently. The letters were sent to the mailing address of the dealer’s ultimate designated person and addressed partially to a couple of Doe’s clients and partially to Doe. Doe has asked CIRO to clarify whether the letters are indeed client notifications.
Notification letters provide phone numbers to call if clients have questions about the breach or need technical help signing up with the credit bureaus. But if clients call those numbers, their questions are handled “like a call centre,” Doe said. “When you have a relationship with a client, it’s different; you have a duty of care.” Advisors provide emotional support to clients and keep them from panicking, Doe said.
Advisors can’t sign up for credit monitoring on behalf of a client, given that each notification letter provides the investor with a unique code to sign up securely. If clients need help, advisors can suggest they call the number in the letter. But that’s “such a cold response from an advisor,” Morfesis said. “That’s not what an advisor wants to say.”
And if clients affected by the CIRO breach haven’t experienced a breach before, advisors are “having more difficulty with the conversation, because they can’t confirm any of the information” in notification letters, Morfesis said. Even though the letter “explains what pieces of information were exposed, the client wants it reiterated by the advisor,” she said. “Yet, the advisor doesn’t have the information, can’t confirm it, and all they can do is encourage [clients] to sign up for credit monitoring.”
On the other end of the spectrum are clients whose data, unfortunately, “have been exposed multiple times,” Morfesis said. In such cases, advisors are having relatively easy conversations with clients, she said.
‘I look uncaring’
Certain advisors who know their clients are aware of the regulator’s breach (from media) have sent email blasts, informing them that they could receive notification letters, Morfesis said. But most advisors aren’t doing a mass communication, because they “don’t want to create the mass panic.”
Brenda Potter Phelan, a financial planner with Investia Financial Services Inc. in Cambridge, Ont., said she’s had one affected client call so far — “which worries me,” she said. If clients are getting notification letters without her knowledge and without contact from her, “I look uncaring or oblivious,” she said. (She received a notification letter as an investor.)
Jason Pereira, a partner with Woodgate Financial Inc. in Mississauga, Ont., said he’d discuss the breach with clients as they contact the firm. “To … proactively reach out to my entire client base would be to cause panic amongst people who had no reason to panic,” he said.
Pereira suggested that, regardless of this particular breach, “everyone should be vigilant” when it comes to credit monitoring and identity-theft risk.
Data breaches are now a fact of life, he said. “Whatever you think they [i.e., hackers] got access to and that you’re upset about, that data was probably floating around somewhere else before.”
Pereira added that investors affected by the CIRO breach should know they “could have been at the biggest bank or the smallest independent — it doesn’t matter,” because CIRO is a national self-regulatory organization.
Eight affected clients have called Howson so far, she said. She estimates she’s spent 30 hours on breach-related work — speaking with clients and researching and preparing educational information for them. (Howson herself received letters as both a registrant and an investor.)
In some cases, affected clients are no longer living. “The one [affected client] we know about is an estate case,” said Meagan Balaneski, senior financial planner with Agile Wealth Management in Vermilion, Alta. The executor was confused by the letter, she said, and wanted to know whether to act on it.
Highview Financial Group has been responding to “a few” affected clients so far who contacted the firm, Hallett said. “We’re not going to reach out to everybody, because we don’t know how extensive the breach is. We don’t want to alarm people if they end up not getting a letter.”
The clients who contacted the firm “want to make sure their money is safe, their identity is safe,” Hallett said. “The best way to do that, given this breach, is to sign up for those free credit monitoring services.”
Hallett received a notification letter as a past registrant — which was more than two decades ago.
Signing up for credit monitoring “gave me a bit of peace of mind,” Hallett said. So far, the monitoring has revealed “nothing suspicious.”