Ask Stacy: What Happens If My Investment Account Is Hacked?

You’d assume that if the money in your IRA or 401(k) is stolen, you’re covered. Bad assumption. If you’ve got any kind of brokerage account, stop what you’re doing and read this.

Better Investing


Other than perhaps your home equity, your investment accounts, including your 401(k) and other retirement accounts, are likely where most of your net worth resides. What happens if these accounts are hacked?

Here’s this week’s question:

With all the hacking going on whether large or small, how would a person’s IRA, 401(k) or pension be affected if hacked? Are there protections in place for the holder of these accounts?
– Russell

You’d assume you wouldn’t suffer a loss if someone fraudulently withdrew money from any type of account, whether bank, brokerage, credit card or retirement plan. But that’s not the case.

While there are laws that limit your losses if your credit or debit cards are compromised, there aren’t specific laws protecting you from cybertheft-related losses in your brokerage account.

If hackers gain access to your brokerage account by hacking into your firm’s servers, odds are good you’d be reimbursed. But if the cybertheft occurs on a more personal level, the outcome could be a lot worse.

Say you get an email from your brokerage firm stating your monthly statement is ready for review. You click the link within the email, which takes you to the login page of your brokerage website. You enter your username and password, check your balances and go on with your day.

But the email you responded to was fake. The website you were on looked like the login page of your brokerage account, but the site was a decoy designed to separate you from your login credentials. Now that they have your username and password, the crooks are in a position to empty your account.

Does the brokerage firm have to reimburse you? No. They could simply claim that you’re supposed to keep your login information secret and you didn’t. The fact you responded to a legitimate-looking email isn’t their problem. There’s no law requiring them to reimburse you.

A few months ago, the SEC examined 57 registered broker-dealers and 49 registered investment advisers. According to their report:

Written policies and procedures generally do not address how firms determine whether they are responsible for client losses associated with cyber incidents. The policies and procedures of only a small number of the broker-dealers (30 percent) and the advisers (13 percent) contain such provisions, and even fewer of the broker-dealers (15 percent) and the advisers (9 percent) offered security guarantees to protect their clients against cyber-related losses.

What happens if you get ripped off?

If you’ve got money with a brokerage or investment firm, step one is to see what kind of protection your broker offers in cases of cyber breach. Here are links to fraud policies of three popular investment firms:

As an example, here’s the language Vanguard uses to introduce its policy:

Our commitment regarding online security is simple. If assets are taken from your account in an unauthorized online transaction on Vanguard.com® — and you’ve followed the steps described in the Your responsibilities section below — we will reimburse the assets taken from your account in the unauthorized transaction.

Sounds good. But what exactly are your responsibilities? Here are the highlights.

  1. Review your accounts regularly.
  2. Protect your Vanguard.com user name, password, and other account-related information. 
  3. Protect your computer.
  4. Do not reply to e-mail requests for personal or financial information.
  5. Cooperate with us and stay informed.

You can review the details under each of these headings on their policy page, but you get the idea. Unlike with a credit card, when it comes to investment accounts, you’re not off the hook simply because someone hacked your information. You’re responsible for keeping your account safe. Also worth noting is the fine print at the bottom of the policy page, which reads in part:

This protection does not apply to unauthorized activity caused in whole or in part by your fraudulent, intentional, or negligent acts or omissions, including activity by a person whom you have intentionally or negligently permitted to transact in your account, or to whom you have intentionally or negligently given access to security information relating to your account. This protection does not apply to unauthorized account activity or account access by an employer or plan sponsor representative who is authorized to access your account but is acting outside the scope of his or her authority.

In other words, if you negligently allow someone to obtain your login information, the guarantee doesn’t apply. (And who decides what constitutes negligence? They do.) Nor, in the case of retirement accounts, does the guarantee apply if your employer or plan sponsor rips you off; something completely beyond your control.

This lack of investment firm accountability is frightening, particularly in light of the potential money involved and the amount of online fraud that’s occurring these days.

Protecting yourself

The SEC put out an investor bulletin called Protecting Your Online Brokerage Accounts from Fraud that every investor should read. Here are the steps they suggest:

  • Pick a strong password, keep it secure, and change it regularly
  • Use two-step verification, if available
  • Use different passwords for different online accounts
  • Avoid using public computers to access your online brokerage account
  • Use caution with wireless connections
  • Be extra careful before clicking on links sent to you
  • Secure your mobile devices
  • Regularly check your account statements and trade confirmations

Click the link above to get more detail on their suggestions. Other sites to review include the SEC’s Online Brokerage Accounts: What You Can Do to Safeguard Your Money and Your Personal Information, FINRA’s Protect Your Online Brokerage Account: Safety Should Come First When Logging In and Out and the FTC’s Tips for Using Public Wi-Fi Networks.

Bottom line? Your investment accounts don’t carry the same legal protections as your credit cards, and they’re likely to contain a heck of a lot more money. Take the necessary precautions.

Got a question you’d like answered?

A great way to get answers to just about any money-related question is to head to our Forums. It’s the place where you can speak your mind, explore topics in-depth and, most important, post questions and get answers. It’s also where I look for questions to answer in this weekly column.

About me

I founded Money Talks News in 1991. I’ve earned a CPA (currently inactive), and have also earned licenses in stocks, commodities, options principal, mutual funds, life insurance, securities supervisor and real estate. Got some time to kill? You can learn more about me here.

Stacy Johnson

It's not the usual blah, blah, blah

I know... every site you visit wants you to subscribe to their newsletter. But our news and advice is actually worth reading! For 25 years, I've been making people richer without making their eyes glaze over. You'll be glad you did. I guarantee it!

Read Next: Hackers Steal 21.5 Million Social Security Numbers From Feds

Check Out Our Hottest Deals!

We're always adding new deals and coupons that'll save you big bucks. See the deals to the right and hundreds more in our Deals section.

Click here to explore 1,498 more deals!