How do I keep my IRA safe from cybertheft?

Q. I have all of my finances at one mutual-fund company (Vanguard). Is there any possibility that I could wake up one morning and find out that a cyberthief has completely wiped me out?—Rita M., via e-mail

A. Cybertheft of mutual-fund assets is rare so far, although hackers are becoming more sophisticated. The Securities and Exchange Commission requires mutual funds to operate a program that identifies, detects, and responds to red flags for identity theft, but the companies are not required to restore assets stolen by hackers.

We checked with the 10 largest mutual-fund families and found that Vanguard does have a voluntary online fraud policy that promises to reimburse assets stolen in unauthorized online transactions; so does Fidelity. Franklin Templeton Investments, OppenheimerFunds, and T. Rowe Price say that restoration of stolen assets is determined on a case-by-case basis. We found no guarantees on the websites of American Funds, JP Morgan, or PIMCO, and those funds didn’t respond to our requests for elaboration.

To get protection, Vanguard requires (and Fidelity requests) that you follow these safeguards (which you should be doing anyway):

• Regularly review your account statements and promptly report any errors or suspected fraud.

• Protect your username, password, and other security information.
  

• Keep up-to-date security on any computer or other device you use to access your account (firewall, antispyware, and antivirus software).
  
  
• Do not respond to, click a link in, or open an e-mail attachment that you suspect might be fraudulent and that requests personal financial information.
  
  
• Cooperate in the investigation and prosecution of the fraud.
  
  
• Take advantage of two-factor authentication offered by many brokerage firms, which provides an additional layer of protection if your password has been compromised.

For related information, check our Investing Center.

Send your questions to ConsumerReports.org/askourexperts.

—Jeff Blyskal (@jeffblyskal on Twitter)