Wealth managers face a new reality. The costs of cybercrime will soon reach $10.5 trillion per year(according to Cybersecurity Ventures)—which is larger than the sale of all illegal drugs worldwide, combined—and financial industry participants and their clients are compelling targets. Numerous firms have already been attacked and millions of dollars of client assets have been stolen.
The U.S. Securities & Exchange Commission, along with many state regulators, has made it clear it will expect industry participants to have cybersecurity protections in place. Unfortunately, most participants have up to now largely ignored cybersecurity. The good news is that an effective program for most firms is neither complicated nor expensive.
However, it is important to dispel two foolish notions prevalent in the industry. First, many people assume that cybercrime can largely be addressed by acquiring the right technology. Certainly, that’s a precondition. But it’s almost always the human part of tech defense that makes firms vulnerable, regardless of the software being used. The success of any cybersecurity program depends heavily on the behavior of individual stakeholders.
Second, many industry executives think it’s inappropriate for their firms to get “involved” in their clients’ or employees’ personal cybersecurity. That’s like a pig believing it’s inappropriate to get “involved” in a ham and egg breakfast. Cybercriminals have unfortunately stripped wealth managers of that option.
The easiest way to breach a firm’s defenses is through its clients and employees working away from the office. A recent study found that 82% of all financial services company breaches were made through employees working remotely, and nearly every wealth manager has already been subjected to indirect cyberattacks involving their clients.
To create an effective cybersecurity program, you’ll need to understand who the bad guys are and what they are trying to steal, as well as what your regulatory obligations are as an industry participant.
Three Core Cybersecurity Concepts
It’s also important to remember these three concepts:
1. Everything connected to the internet will at some point be breached, regardless of what people do to stop it.
The behavior of cybercriminals is driven by a cost/benefit analysis tied to how much time and resources are required to breach a company versus the value of what can be stolen.
2. Cybersecurity is an exercise in risk management and resource allocation.
CEOs must balance the level of cyber risk that their firm can bear with what they can and want to spend on cyber defenses.
3. Minimizing damage is just as important as blocking hacks.
The inevitability of a breach also makes identifying and implementing steps to minimize any potential damage an equally important aspect of an effective cybersecurity strategy.
Who Are The Bad Guys?
Cybercriminals can be generally divided into two groups. One group is the state-backed or state-tolerated cybergangs that operate openly in China, Russia, Iran and North Korea. The other group is the thousands of smaller cybergangs operating in every country in the world.
All of them are after client information and assets. A client’s non-public personal information, when accessed by thieves, can be used for identity theft—which is now a $54 billion per year industry all its own. Cybercriminals also target liquid assets that can be wired out of client accounts.
Key Obligations Under The Proposed Cybersecurity Rules
The new proposed SEC regulations include a lot of language that people might see as open to interpretation, for instance that its registered firms must have “adequate” cybersecurity policies and procedures or risk an enforcement action, and that the policies and procedures are to be “reasonably designed to address cybersecurity risks.” If the SEC concludes that a firm operated with “inadequate” cybersecurity, “the registrant faces downside risks” (in other words, commission enforcement actions).
Importantly, the rules make no differentiation between breaches resulting from indirect and direct attacks. This is problematic, since wealth managers are far more likely to be breached indirectly through clients and employees working remotely than to be hit by a direct attack.
The proposed rules are clear in saying the SEC views cybersecurity as not just the responsibility of firms but also of individual employees. RIAs would be required to self-report any material breaches to the SEC within 48 hours of being detected. The proposed rules also included expanded risk disclosure obligations, namely that wealth managers must “in plain English, describe cybersecurity risks that could materially affect the advisory services they offer” and that they must “promptly” disclose any material breaches to clients.
There are other implications in the new SEC proposals. One is that firms would have to inform their clients that their stolen money likely won’t be reimbursed if their custodial accounts are attacked. And any large breach could hurt a wealth manager’s long-term business, since it would have to be disclosed to every current, future and potential client. Another proposal obligates wealth managers to create policies limiting the cyberattack risks from insiders (i.e., rogue employees, vendors, etc.).
How Cybercriminals Attack Wealth Managers
Criminals attack using a variety of evolving tactics. For instance, they penetrate company systems and steal client information. They purloin credentials for accessing custodial accounts and then pose as either the client or wealth manager. They initiate fraudulent transactions, and intercept the subsequent communications meant to verify them.
Cybercriminals were also early adopters of artificial intelligence (AI) software and have used it to create so-called “deep fakes”—very accurate clones of individuals’ voices and images, which they use in “social engineering” tactics. There is even a do-it-yourself video guide for creating deep fakes that can be used for Zoom calls.
Direct And Indirect Attacks
Cybercriminals directly attack weak points in company systems, usually stemming from misconfigured tech stacks or short and/or unsophisticated passwords. Approximately one million passwords are compromised every week in what are called “brute force attacks,” where attackers use a barrage of combinations trying to correctly guess at poorly conceived codes. A recent study showed that a computer using ChatGPT was able to correctly guess an eight-digit alphanumeric password with upper and lowercase letters, numbers, and symbols in less than one second.
Attackers also use “malware,” malicious software designed to get behind a wealth manager’s cyber defenses, export confidential client information, initiate fraudulent transactions, alter legitimate ones, and even take control of company systems. Unfortunately, every system can both be infected by and infect any device that is connected to it.
Indirect attacks are often easier for cybercriminals, who can breach wealth managers’ systems instead by targeting clients and employees who work remotely. And insiders—i.e., rogue employees, untrained employees, vendors, etc.—can easily misuse access to the company to steal information and assets.
Clients are target vectors because they have poor personal cybersecurity. When their personal email and texts are compromised, their accounts can be used to generate messages to infect their wealth manager’s systems or initiate fraudulent transactions. If they don’t protect their social media accounts, these can be used to create voice and image clones so that the scammers can pose as clients. And breached client home networks are regularly used to compromise devices and online accounts.
The easiest way for cybercriminals to breach a remote employee’s device is through smart technology connected to a home network. Breaching a single device can effectively compromise everything—including work devices—connected to the system.
The default settings for most devices, as well as certain web browsers and search engines, automatically record users’ IDs and passwords for every account they access. So if a cybercriminal breaches a device that is not properly protected, they can access the credentials for hundreds of accounts.
Foundational Cybersecurity Defenses
Wealth management firms trying to build their cybersecurity defenses should start with three layers of foundational defenses, made up of several sublayers. These would be the same for firms of any size or business model. (See exhibit 1.)
Layer I—Direct Attack Defenses
The first line of defense against a direct attack is a correctly constructed and maintained IT system.
• This system requires firms to use multi-factor authentication.
• It limits access to company systems.
• It requires conducting cyber-diligence on all vendors.
• It means filtering emails.
• It requires regularly and systematically updating software patches.
• It requires firms to follow protocols for working remotely.
• It means using active directory/service accounts and properly maintaining web domains. And it means having integrated incident response and disaster recovery backup plans.
If a CEO discovers that these measures are not already in place, they should seriously consider the competency and adequacy of their IT staff or the third-party technology provider they use.
Layer II—Indirect Attack Defenses
There are four sublayers of indirect attack defenses. (See exhibit 2.)
Sublayer 1—Client Cybersecurity: Wealth managers wanting to defend themselves against indirect attacks must persuade their clients to be more responsible when they’re online. This can be difficult if the demands are onerous or if the clients are asked to invest large amounts of time or money (it’s easier to get employees to comply).
Given the possible resistance from clients, the personal cybersecurity programs you choose must have the following characteristics:
• They must have a quick and painless setup process.
• The programs must not greatly complicate a user’s ability to function online.
• They must be reasonably priced.
• They should neither track what users do online nor allow outsiders to access any of their passwords.
Sublayer 2—The Risks Of Client Interaction: Wealth managers must assess the personal cybersecurity of each of their clients and then use different protocols for interacting with them based on that assessment.
For those clients with poor personal cybersecurity, firms must separately contact them using alternative channels and personal questions to confirm their identity before even opening emails or text messages. Advisors must also take extraordinary steps to confirm their clients’ identities before initiating a transfer of assets to new accounts or financial institutions.
Sublayer 3—Employee Cybersecurity: Your employees’ cybersecurity will require training and education and will apply to the precautions they take at work as well as the personal precautions they take at home.
Sublayer 4—Insider Threats: There are three aspects to insider threat management:
• Advisors must limit the access to clients’ non-public personal information, letting only those who need to know it have access and allowing only those who need to use it to download it.
• Advisors must also monitor their new employees’ online behavior and limit the access of departing employees.
• And finally, advisors should keep all devices with sensitive client information in a secure room with limited access.
Layer III—Damage Reduction
As we noted before, every firm at some point will be breached. That means it’s essential for advisors to take steps to reduce any potential damage. There are two sublayers of such defenses. (See exhibit 3.)
Sublayer 1—Non-Public Personal Information: Wealth managers should make it too complicated to steal this information: They should delete any unnecessary client information. They should store all online client info in the cloud. And they should segment and compartmentalize that information.
Sublayer 2—Asset Transfers: Cybercriminals are able to take over the phone numbers of their victims through what’s called “SIM-swapping,” in which all calls and text messages are diverted to them. This attack, alongside the widespread use of deep fakes, has made traditional means of verifying transactions obsolete. So wealth managers will have to take three steps for risk-controlling asset transfers.
First, they should only immediately transfer assets to pre-existing known client accounts and store the wiring instructions for those accounts offline. Second, all other assets transfers will require significant additional diligence. Lastly, clients must be educated on why it will take much more time to wire money to new recipients.
Cybersecurity Protocols For Wealth Managers
Besides these foundational cybersecurity defenses, we advocate that wealth managers turn to a series of other incremental measures. The specific steps appropriate for a particular firm are directly tied to how frequently it must access clients’ non-public personal information and custodial accounts.
Tier I—Cybersecurity Protocol
This protocol is most appropriate for industry participants who only infrequently access client personal information and accounts (as is typical for most traditional wealth managers). It requires another layer of defenses made up of four enhanced damage-reduction measures:
• Storing all non-public personal information offline;
• Prohibiting the downloading of client information from third-party vendors;
• Keeping any remaining online client information anonymous; and
• Physically isolating (or “air-gapping”) networks for the trading of client accounts.
Tier II—Cybersecurity Protocol
Wealth managers that require frequent access to client non-public personal information—and for whom storing it entirely offline would be impractical—should implement six measures to reduce the likelihood of a breach and further complicate criminals’ ability to steal client information and assets. These measures include:
• Storing rarely used client non-public personal information offline;
• Further segmenting and compartmentalizing non-public personal information stored online;
• Doing penetration tests of third parties;
• Using intrusion protection systems;
• Air-gapping the trading of client accounts; and
• Using data transfer alerting software.
Tier III—Cybersecurity Protocol
For some firms, such as investment counselors and multifamily offices, it’s impractical to store and air-gap clients’ non-public personal information. Such firms must rely on “zero trust” systems: These include foundational defenses, the first five incremental steps included in the Tier II protocol we discussed earlier and four other additional measures:
• They should use only company-owned or managed devices.
• They should use enhanced firewalls and intrusion-protection systems.
• They should expand their IT staff.
• They should hire a chief information security officer (or CISO).
Best Practices
Over time, the SEC will develop its own views and policies for what constitutes industry “best practices.” And while the agency may struggle to keep pace with rapidly evolving cybersecurity threats, wealth managers will nonetheless have to be responsive to change. Thus, our recommendations serve only as starting points for firms that will have to make their own independent assessments.
The good news is that an effective program for most firms is neither complicated nor expensive, though more than a few readers will likely be surprised by the scope and number of measures required to adequately address these threats. However, this is 2024, not 1994. The world is a very different place than it was 30 years ago. And cybersecurity changes every year.
Mark Hurley is the CEO of Digital Privacy & Protection. Brian Hamburger is the CEO of MarketCounsel Consulting. Carmine Cicalese is the President of Cyber CIC.