Your Security is Our Priority

Market conditions and increased fraudulent activities pose unique security challenges to your firm. Fidelity Investments offers operational strength, advanced technology, regulatory advocacy, and investor knowledge to help deliver enhanced security and privacy to your firm and end investors. We are committed to using the latest technology to guard your information and accounts. But we can't do it alone. We need to work together, and it is important for you to enhance your security controls and measures by taking some actions on your own. See what we do to keep you safe, and what you can do to protect yourself.

Take Action

How We Protect You

Enterprise-Wide Initiatives


Two Factor Authentication

Advanced Authentication

Back-End Systems

Additional Protection


How to Protect Your Firm

  1.  Develop and Implement an Identity Theft Protection Program
  2.  Proactively Prepare for a Compromise
  3.  Actions to Consider

Develop and Implement an Identity Theft Protection Program

The identity theft "red flags rule," known as Regulation S-ID, was issued jointly by the SEC and the U.S. Commodities Futures Trading Commission (CFTC) and became effective in 2013. The rule requires any SEC or CFTC registered financial entity that directly or indirectly holds transaction accounts for its clients to develop and implement an Identity Theft Protection Program (ITPP).

All advisors, broker-dealers, and other financial institutions (as defined by the regulations) are required to develop and implement an identity theft protection program consisting of reasonable, board-approved compliance policies and supporting procedures to prevent, detect, and respond to any possible identity theft situations.

While Fidelity encourages all advisors, as part of their fiduciary responsibility, to remain vigilant for signs of fraud, we suggest that you consult legal counsel to gain a full understanding of the rules and regulations that apply to your firm, especially because current data protection and data breach notification laws vary from state to state.

Proactively Prepare for a Compromise

Security compromises can occur despite the best efforts of all involved. Consider taking these proactive measures to prepare your firm for a potential problem — from outside criminals or employees within your firm:

Actions to Consider

Technologies are constantly evolving — including those used by criminals. Ask yourself: Are your security policies and procedures keeping up? Consider the following precautionary measures to help combat the growing threat of data security compromises:


How to Protect Yourself

  1.  Secure Your Home Computer
  2.  Minimize Your Risks Online
  3.  Protect Yourself from Identity Theft

Secure Your Home Computer

Regularly Update Your Operating System and Applications

Applications and operating systems that are installed on your computers may have vulnerabilities. These issues can be found by malicious actors, who can then take over your system or network by exploiting those vulnerabilities. Most major software companies regularly release updates or patches to their operating systems to repair security problems. A large percentage of these patches and upgrades repair security problems that have been found in the software.

You can minimize your exposure to unintentional downloads by keeping your computer up to date with the latest security patches. Some websites, such as Microsoft® and Apple®, offer the ability to scan your computer for missing updates. It's good practice to go to your software vendor's website at least monthly to check for new upgrades and patches. For the best protection, set up your computer to receive updates automatically whenever possible.

Apply patches for vulnerabilities as soon as they are released by the vendor. Upgrade as new versions of applications, software and operating systems become available. Delaying or ignoring patches for vulnerabilities considerably increases the chance of systems being exploited. This is particularly important in particular Internet/public facing systems (VPN, web, email servers).

Use Anti-Virus Software

A virus is malicious software that is installed on the system, usually by accident or through trickery, that does harm to the system and affects its normal operation. Up-to-date anti-virus software protects your computer against current virus threats. Most commercially available virus protection programs offer automatic and emergency updates. Regularly scan all your files using the latest anti-virus updates. For the best protection, set up your anti-virus software to scan every file you open. You can also schedule your software to run periodic scans.

Use Anti-Spyware and Anti-Adware Software

Spyware is software that is loaded on your system that monitors your Internet activity, and adware is software that is loaded on your system that will track your browsing habits and pop up with ads promoting different products and websites. These programs automatically install themselves, often without your knowledge or permission and should be avoided for privacy and security reasons. Spyware programs run on your computer and can gather private information such as passwords/PINs and credit card numbers, deliver unwanted pop-up advertising as you surf the Web, and monitor your browsing patterns. Free software is widely available on the Internet, but may contain malicious software programs. Before you agree to download a software program, make sure you know and trust the company offering the software, and read the user agreement. Make sure to keep your computer updated by running your anti-spyware and anti-adware software regularly.

Use a Personal Firewall

Firewalls serve as protective barriers between your computer and the Internet, preventing unauthorized access to your computer when you are online. They can be software programs or physical devices. Firewalls are often included in security software suites such as Norton Internet SecurityTM and McAfee® Internet Security Suite. Operation systems, such as Windows may also include firewall software. Some ISPs offer firewall software or hardware to their clients. Be sure to set up a firewall between your computer and the Internet.

Exercise Caution When Using Wireless Networks

The default configuration of most wireless home networks is not secure. Contact your wireless software vendor for specific information about enabling encryption and strengthening the overall security of your wireless home network.

Taking a few simple precautions when using wireless hotspots can help protect your computer:

Wireless technologies are continuously changing. Consult the manufacturer of your network hardware to ensure you have the most up to date security technology.

Minimize Your Risks Online

Protect Your Passwords/PINs

When creating your user accounts, make sure that you create strong sign in credentials and passwords to make your passwords/PINs as hard to guess as possible. Avoid obvious numbers, such as a birth date or an anniversary, which would be easy to guess.

What is a strong password? A strong, or complex, password is one that meets the following requirements:

Passwords should be changed frequently and never divulge your passwords/PINs to anyone, including family or friends.

Use Strong Authentication

By enforcing multi-factor authentication, especially for privileged accounts and remote access (e.g. VPNs), you dramatically reduce when and where stolen credentials can be reused by an adversary. Create, enforce, and maintain strong password policies across your firm. The use of strong password policies must be mandated for all users and is especially critical for administrator accounts and service accounts.

Protect Yourself from Phishing Scams

Cyber criminals try to gain your personal information via deceptive means such as legitimate looking emails with fake web links, phone numbers, and attachments. This method of email fraud is called phishing. Avoid opening links or attachments in an email you are not expecting. Phishing emails will often ask you for personal information in an effort to obtain access to your financial assets and identity. Responding with sensitive information (like account numbers, passwords or social security numbers) is never a good idea.

Don't Open Unexpected Email

Be cautious of email and attachments — even if they look like they're from a friend. Unless you are expecting them or know what they contain, never open them.

Don't Email Personal or Financial Information

Most email is not secure or encrypted and should not be trusted to send personal or financial information. Legitimate companies seeking information normally send written requests on company letterhead. You should be cautious of and verify any requests you receive that ask you to email personal or financial information.

Check that Web Forms Are Secure

When on a website avoid entering personal and financial information. If you do need to enter sensitive personal information look for forms that may encrypt data and that the web address is running in a secure mode as this may provide some enhanced protection of your information. Some websites or forms on websites may encrypt information, which may be identified by a padlock icon in your browser's status bar (at the bottom of the browser window), and the prefix "https" in the address in the browser's address bar that references the site is running in secure mode.

Sign out of Websites and Close your Browser

Be aware that sensitive information may still be stored within the browser, even after you sign out of a website. If you leave a computer unattended after you have signed into a website, someone may be able to use the browser's Back button to view your personal information. To avoid this, sign out and close your browser to minimize any security risk. You may also choose to delete encrypted pages and/or temporary Internet files from your computer's hard drive or disk (clear your cache), or set your browser to not save encrypted pages to disk (in your browser's security or advanced settings).

Protect Yourself from Identity Theft

Protect Your Personal Information

Identity theft is a growing problem online because of the increasing amount of information available about individuals online. It can take years of persistent work to follow all the administrative steps needed to regain your good name and credit score.

Identity thefts are categorized according to what the thief does with your data:

A few simple steps can go a long way. For example, shred documents containing personal or financial information instead of simply throwing them away. Also, be absolutely sure you know who you're dealing with before giving any personal or financial information. OnGuard OnlineTM, (http://www.onguardonline.govOKCancel), a site created by the U.S. Federal Trade Commission (FTC), offers additional information on preventing identity theft.

Here are some tips for avoiding identity theft:

Know the Warning Signs of Identity Theft

Identity theft warning signs include:

Although it could be a simple error, never assume a mistake has been made that will automatically be corrected. Follow up with the business or institution

Act Quickly If You Suspect Identity Theft

If you suspect that your personal information has been used wrongfully, immediately:


Report an Online Security Issue

If your account is blocked or compromised

Call us at 800-523-5518 (Advisors)
Contact your Home Office (Broker Dealers)

Think you received a suspicious email? Report it.

Phishing messages have evolved drastically; and are often difficult to recognize. They can incorporate realistic company logos and graphics, provide links to the real company's privacy policies, and even include authentic-looking legal disclaimer language at the bottom.

If you suspect you have received a phishing email:

Contact your Client Service Team

If you suspect your account has been compromised or you see unauthorized activity on your account, contact your client service team immediately. They will investigate and advise you on what steps need to be taken to protect your account.

Whenever you suspect Fraud
Update your antivirus software

Run an antivirus scan on your system to check that your computer is not infected with a virus. Make sure that your system and anti-virus software are up-to-date.

Change all your passwords

Change your account password and security questions immediately. Do this for your Fidelity account, your email accounts, and other online accounts.


Learn How to Recognize Phishing Emails

Phishing messages have evolved dramatically over the few years, and they are often difficult to recognize. Creators often incorporate realistic company logos and graphics, provide links to real companies' privacy policies, and can even include realistic legal disclaimers. Make sure the organization that is represented is one you trust. Never respond to an email or fill out any requests for information on a website unless you're confident in its authenticity and security.

To help determine if an email is part of a phishing scam, ask yourself the following:

If you are at all unsure, contact the company by phone.

Some other pointers about suspicious emails

How to Report a Phishing Scam

If you suspect you have received a phishing email:


Know How to Check That You Are On a Secure Site

If you are about to enter personal or financial information on a website, you must be able to identify whether or not that site is secure.

Look at your browser's address bar.

If the address starts with "https://" that means the site has an added layer of security that creates an encrypted connection between the web server and your browser. This additional layer allows private information to be transmitted securely.

Note that web pages intended for browsing may not have this level of security, and that is ok. You should, however, look for "https" on all pages that require you to sign in and/or enter any sort of sensitive information.

Another indication that a website is secure is a padlock icon next to the URL in the navigation bar.

Never enter personal information unless you are sure the website is legitimate and encrypted.


How to Be Cautious On Public Networks

Not every network is secure. Many public networks and Wi-Fi hotspots don't require a WPA or WPA2 password when you connect. If no password is required, it is likely not a secure network

If you use an unsecured network to sign in to an unencrypted site — or a site that uses encryption only on the sign-in page — you are potentially exposing your sensitive data and sign-in credentials to everyone on that network, including scammers.

The best way to protect yourself;

Avoid using public, unsecured networks and Wi-Fi hotspots. If you must get online, here are a few precautions you can take:


Additional Resources

For a comprehensive list of Security Terms, you can visit the SANS security resource glossary:

Educational resources about Phishing scams are found at http://www.antiphishing.orgOKCancel or https://www.identitytheft.govOKCancel.

The FBI has the Internet Crime Complaint Center (IC3), which allows the public to stay informed about internet related criminal activity. The public can also report incidents to the FBI through this site.
http://www.ic3.govOKCancel is the federal government's website to help you be safe, secure and responsible online. It is managed by the Federal Trade Commission (FTC).

For details on the NIST framework, please visit or

FINRA releases a report on Cybersecurity Practices, it can be found here:

United States Computer Emergency Readiness Team:

CERT has an article on configuring your web browser for safer Internet surfing: