Wealth managers face a new reality. Cybercrime will soon be a $10.5 trillion annual business—larger than the sale of all illegal drugs worldwide, combined—and industry participants and their clients are among the world's most compelling targets. Numerous firms have already been attacked and millions of dollars of client assets have been stolen.

The U.S. Securities & Exchange Commission (SEC or Commission) along with many state regulators have made it clear that they expect industry participants to have cybersecurity protections in place. Proposed regulations will require wealth managers to adopt policies and procedures that are “adequate” and that they must “effectively certify.” And should the policies and procedures prove to be “inadequate,” they could face a “Commission enforcement action.”

Unfortunately, to date most advisors have largely ignored cybersecurity. The good news is that an effective program for most firms is neither complicated nor expensive.

However, it is important to dispel upfront two foolish notions that widely permeate the industry. First, many assume that it can largely be addressed by acquiring the right technology. Certainly, having good technology is a precondition to effective cybersecurity.

That said, it is almost always the intersection of humans and technology that creates the best opportunities to penetrate cyber defenses, regardless of the technology employed. And the success of any cybersecurity program depends heavily on the behavior of individual stakeholders.

Second, many industry executives also feel that it is inappropriate for their organizations to get “involved” in either their clients’ or employees’ personal cybersecurity. This notion is analogous to a pig believing that it is inappropriate for it to get “involved” in a ham and egg breakfast. Just as it is the farmer and not the pig who makes that decision, cybercriminals have stripped wealth managers of the option of disregarding personal cybersecurity.

More specifically, the easiest avenue for breaching any firm is through its clients and its employees working away from the office. A recent study found that 82% of all financial services company breaches were initiated through employees working remotely and nearly every wealth manager has already been subjected to indirect cyberattacks involving clients.

Background
Formulating an effective cybersecurity program requires understanding (i) three core concepts; (ii) who the bad guys are and what they are trying to steal and (iii) industry participant obligations under SEC expectations and anticipated new rules.

A. Three core cybersecurity concepts
1. Everything connected to the Internet will at some point be breached, regardless of what they do.

However, cybercriminal behavior is driven by cost/benefit analyses tied to how much time and resources are required to breach a company versus the value of what can be stolen.

2.Cybersecurity is therefore an exercise in risk management and resource allocation.

CEOs must balance the level of cyber risk that their firm can bear with what they can and want to spend on cyber defenses.

3. Damage minimization is as important as reducing the likelihood of being breached.

The inevitability of a breach also makes identifying and implementing steps to minimize potential resulting damage an equally important aspect of an effective cybersecurity strategy.

B. Who are the bad guys and what are they after?
Cybercriminals can be generally divided into two groups—nations’ state-backed or state-tolerated cybergangs that operate openly in China, Russia, Iran, and North Korea and thousands of smaller cybergangs which operate in every country in the world.

What are they trying to steal?
Both groups are after client information and assets. Stolen client non-public personal information (NPPI) can be used for identity theft—now a $54 billion annual industry. Cybercriminals also target liquid assets that can be wired out of client accounts.

C. Key obligations under the proposed cybersecurity rules
1. Having “adequate” cybersecurity policies and procedures or risk an enforcement action

The proposed rules would require every firm to have policies and procedures that are “reasonably designed to address cybersecurity risks.” Should the SEC conclude that a firm operated with “inadequate” cybersecurity, “the registrant faces down-side risks …. (i.e., Commission enforcement actions).”

2. No differentiation between breaches resulting from indirect and direct attacks

The rules also do not distinguish between breaches resulting from direct or indirect attacks. This is potentially problematic because wealth managers are far more likely to be breached indirectly through clients and remote working employees than through direct attacks.

3. Individual responsibility and potential liability  

The rules are also clear that the SEC views cybersecurity as not just the responsibility of firms but also of individual employees.

4. Self-reporting of material breaches

RIAs would be required to self-report any material breaches to the SEC within 48 hours of being detected.

5. Expanded cybersecurity risk disclosure obligations

The proposed rules obligate wealth managers to “in plain English, describe cybersecurity risks that could materially affect the advisory services they offer” and to “promptly” disclose any material breaches to clients.

One key business implication is that firms will have to inform clients that, should their custodial accounts be breached, it is unlikely that any stolen money will be reimbursed. Additionally, a material breach could also potentially fatally damage a wealth manager’s long-term business prospects because the breach, its cause, and the associated damage would have to be disclosed to every current, future and potential client.

6. Obligation to protect against “insider” threats

The proposed rules also obligate wealth managers to “develop and implement cybersecurity policies and procedures designed to mitigate” cybersecurity risks from insiders (i.e., rogue employees, vendors, etc.)

How Cybercriminals Attack Wealth Managers
Cybercriminals attack wealth managers and their clients using a variety of evolving tactics. They penetrate company systems and steal client information. They purloin credentials for accessing custodial accounts and then pose as either the client or wealth manager, initiate fraudulent transactions, and intercept the subsequent communications confirming their legitimacy.

These kinds of criminals also are early adopters of artificial intelligence (AI) software and have used it to create so-called “deep fakes” – very accurate clones of individuals’ voices and images, regularly used as part of “social engineering” tactics. There is even a do-it-yourself video guide for creating deep fakes that can be used for Zoom calls.

Direct attacks. Cybercriminals directly attack weak points in company systems resulting from misconfigured tech stacks or short and/or unsophisticated passwords. Approximately one million passwords are compromised every week because it is relatively easy to use computers in what are called “brute force attacks” to correctly guess short and/or unsophisticated passwords. A recent study showed that a computer using ChatGPT was able to correctly guess an eight-digit alphanumeric password with upper and lowercase letters, numbers and symbols in less than one second.

They also use “malware,” malicious software that is designed to get behind a wealth manager’s cyber defenses, export confidential client information, initiate fraudulent transactions, alter legitimate ones, and even take control of company systems. Unfortunately, every system can both be infected by and infect any device that is connected to it.

Indirect attacks. However, it is far easier for cybercriminals to indirectly breach wealth managers by targeting clients and employees who work remotely. And insiders—i.e., rogue employees, untrained employees, vendors, etc.—can easily misuse access to the company to steal information and assets.

Additionally, the default settings for most devices as well as certain Web browsers and search engines automatically record the user IDs and passwords for each account accessed. Thus, by breaching a device that is not properly protected, cybercriminals can access the credentials for hundreds of accounts.

That said, the easiest way for cybercriminals to breach an employee working remotely is through smart technology connected to a home network. Breaching a single device can effectively compromise everything—including work devices—connected to the system.

Targeting clients as vectors. Cybercriminals also increasingly target clients with poor personal cybersecurity. Compromised client personal email and text messaging accounts have been used to generate messages to infect their wealth manager’s systems and/or initiate fraudulent transactions. Unprotected client social media accounts are used to create voice and image clones that pose as clients. And breached client home networks are regularly used to compromise devices and online accounts.

Insiders. Insiders—i.e., rogue or untrained employees, vendors and even rogue clients—download and sell client information and/or try to steal client assets.

Foundational Cybersecurity Defenses
The starting point for wealth management firm cybersecurity consists of three layers of foundational defenses made up of several sublayers that every participant regardless of size or business model should implement.  

Layer I—Direct Attack Defenses
Essential to defending against direct attacks are correctly constructed and maintained IT systems. Should CEOs discover that these 12 measures are not already in place, they should seriously consider the competency and adequacy of their IT staff and/or outsourced technology provider.

Layer II—Indirect Attack Defenses
There are four sublayers of indirect attack defenses

(i) Sublayer 1—Client Cybersecurity
Persuading clients to operate online more responsibly is integral to defending against indirect attacks. That said, there is an immense difference between what firms can demand of employees at work versus the cybersecurity measures that clients (and employees personally) may be willing to adopt. More specifically, they will simply disregard cyber protections if using them makes operating online onerous and few are willing to invest large amounts of time or money and/or sacrifice their privacy for the sake of better personal cybersecurity.

Consequently, personal cybersecurity programs must (i) have a quick and painless set up process; (ii) not materially complicate a user’s ability to function online; (iii) have a reasonable cost; and (iv) neither track what users do online nor allow outsiders to access any of their passwords.

Effective client cybersecurity has two components—(i) creating a personal digital security structure and (ii) cyber education.

(ii) Sublayer 2—Risk-based Interaction
Wealth managers must assess the personal cyber security of each client and then utilize different protocols for interacting with them based on that assessment.

For those clients with poor personal cybersecurity, firms must separately contact them using alternative channels and personal questions to confirm their identity prior to even opening emails or text messages. Advisors must also take extraordinary steps to confirm client identities prior to initiating the transfer of client assets to new accounts or financial institutions.

(iii) Sublayer 3—Employee Cybersecurity
There are three aspects to employee cybersecurity: (i) work cybersecurity; (ii) personal cybersecurity; and (iii) training and education.

(iv) Sublayer 4—Insider Threat Management
There are three aspects to insider threat management.

Layer III—Damage Reduction Defenses
As noted earlier, every firm at some point will be breached. Therefore, it is essential to take steps that will reduce the potential resulting damage. There are two sublayers of such defenses.


(i) Sub-Layer 1—Complicating Stealing NPPI
There are three sets of steps that wealth managers should take to complicate the ability of cybercriminals to steal client NPPI.

(ii) Sub-Layer 2—Risk-controlling asset transfers

Widespread “SIM-swapping”—i.e., criminals taking over the phone numbers of their victims so that all calls and text messages are diverted—along with the widespread use of deep fakes has traditional means of verifying transactions obsolete. Instead, wealth managers must utilize four steps for risk-controlling asset transfers.

Cybersecurity Protocols For Wealth Managers
In addition to the foundational cybersecurity defenses, we advocate a series of incremental measures for wealth managers to consider. The specific steps appropriate for a particular firm are directly tied to how frequently it must access client NPPI and custodial accounts.

Tier I Cybersecurity Protocol
This protocol is most appropriate for industry participants that only infrequently access client NPPI and accounts (as is typical for most traditional wealth managers). It requires another layer of defenses made up of four enhanced damage reduction measures.

Tier II Cybersecurity Protocol
Wealth managers that require frequent access to client NPPI—and thus, storing it entirely offline would be impractical—should implement six measures that reduce the likelihood of a breach and further complicate the ability to steal client NPPI and assets.

Tier III Cybersecurity Protocol
Firms—such as investment counselors and multi-family offices—for which storing client NPPI and air gapping trading is impractical, must rely on “zero trust” systems. They include foundational defenses, the first five incremental steps included in the Tier II protocol above and four other additional measures.

Over time, the SEC will develop its own views and policies as to what constitutes industry “best practices.” And while the Commission may struggle to keep pace with rapidly evolving cybersecurity threats, wealth managers will nonetheless have to be responsive to change. Thus, our recommendations solely serve as starting points that should be independently considered to determine if they are appropriate for a specific firm at a specific time.

Lastly, although the good news is that an effective program for most firms is neither complicated nor expensive, more than a few readers likely will be surprised by the scope and number of measures required to adequately address these threats. However, it is 2024 and not 1994 and the world is a very different place than it was thirty years ago. Indeed, the cybersecurity world changes every year.

Mark Hurley is the CEO of Digital Privacy & Protection; Brian Hamburger is the CEO of MarketCounsel Consulting; and Carmine Cicalese is the president of Cyber CIC. A full copy of the paper on which this article was based can be found at www.dpripro.com or www.MarketCounsel.com.