Shareholder Authentication (published 2015)

• Table of Contents
• Introduction
  • Universe of Transactions
    • Nature of Participants in Shareholder Transactions
    • Types of Shareholder Transactions
    • Means of Transmission of Transaction Requests
• Authentication In Theory
  • Principles of Authentication
    • The First Authentication Factor: What You Know
    • The Second Authentication Factor: What You Have
    • The Third Authentication Factor: What You Are
    • Multi-Factor Authentication
    • Non-Traditional Authentication Factors
    • Mutual Authentication
    • Positive and Negative Authentication Factors
  • Limitations of Authentication
    • Limitations of Authentication Measures in Common Use
    • Limitations of Authentication Measures Generally
• Authentication In Practice
  • Technological Solutions
    • Shareholder Knowledge
    • Hardware and Software Tokens
    • Biometrics
    • Behavioral Patterns
    • Protection of Authenticated Sessions
    • Authentication of Devices
    • Authentication of Transactions
    • Authentication of Fund Groups (Mutual Authentication)
  • Operational Initiatives
    • Overall Threat Environment
    • Risks Associated with Authentication Systems
    • Risks Associated with Particular Transactions
    • Potential Legal Consequences of Transactional Fraud
    • Limiting Potential for Damage from Fraudulent Transactions
    • Protection of Online Transaction Systems
  • Educational Efforts
    • Employee Training and Awareness
    • Shareholder Awareness
• Insurance
• Glossary
• Further Reading

Some of the more common measures taken to raise shareholder awareness include providing information to shareholders to help them avoid phishing and other similar scams. Some financial institutions even provide free anti-malware software to their customers to help them avoid scams.¹ Many fund groups expressly advise shareholders that the fund groups will not request passwords or personal information by e-mail or over the phone and that shareholders should decline to answer such questions (or click on links in e-mails). More generally, many fund groups advise shareholders that, if they have any doubt about the integrity of communications purporting to come from the fund group, they should call the fund group directly.

In April 2014, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) undertook a cybersecurity initiative, in which it examined registered broker-dealers and registered investment advisers (including some advisers of registered funds) with respect to various cybersecurity issues. The initiative specifically focused on, among other things, information given to customers about steps that they may take to reduce cybersecurity risks in conducting transactions.² In February 2015, OCIE released preliminary results from the initiative, which indicated that a majority of the examined broker-dealers and investment advisers provided retail customers with information on protecting sensitive information. This information appeared to be distributed in various ways (e.g., on websites or through e-mails or regular mail).³

1. See Fidelity, Free McAfee Anti-Virus Software Offer (visited Sept. 28, 2015) https://www.fidelity.com/security/software-offers.
2. SEC, OCIE, Nat’l Exam Program Risk Alert, OCIE Cybersecurity Initiative (Apr. 15, 2014), http://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert--Appendix---4.15.14.pdf.
3. SEC, OCIE, Nat’l Exam Program Risk Alert, OCIE Cybersecurity Examination Sweep Summary (Feb. 3, 2015), http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf.