Few things have caused more migraines for wealth management firm compliance officers than cybersecurity. The SEC promulgated Regulation S-P in 2016 mandating written policies and procedures for the “protection of customer records and information.” New rules proposed in February 2022 require written policies and procedures that “are reasonably designed to address cybersecurity risks” and that “significant cybersecurity incidents” be reported. Then, the SEC brought enforcement actions against three major industry participants in July for failing to have the necessary programs to prevent client identity theft.
Although being cited with an enforcement action is a catastrophe, there is a bigger, even potentially existential threat looming over wealth managers with poor cybersecurity. They will soon discover that no custodian will be willing to custody their clients’ assets, effectively putting them out of business.
Why? The moral hazards created by poor cybersecurity make it insane to provide the service. The liability and economic damage due to cybertheft from a custodial account is asymmetrically worse for the custodian than for the wealth manager.
Certainly, such an adverse event could cost the wealth manager clients and it will have to explain its actions to the SEC. But the custodian must defend why it should not be liable for any of the funds that were stolen, which could be millions of dollars.
Moreover, the core bargain is that the wealth manager will assume many of the normal responsibilities of the custodian in exchange for its clients paying significantly lower than retail investment management and custodial fees. The custodian deals directly with the wealth manager and not its hundreds, or even thousands, of clients. It relies on the wealth manager’s instructions when transferring assets. More importantly, it is the wealth manager’s responsibility to ensure that what is communicated to the custodian reflects the actual wishes of the client.
To be sure, custodians very rationally protect themselves—as we described in a white paper that we published two weeks ago—through one-sided agreements that force clients to bear the preponderance of risk of their accounts being breached. For example, one agreement shields the custodian from liability unless the theft “[occurred] through no fault of [the client].” Another makes clients “liable for any loss or damage arising from any activity that occurs via the use of [the client’s] password and/or user ID.”
However, dealing with a hacked account is very costly and time consuming for custodians, and they still might be held at least partially liable for the losses. Consequently, working with wealth managers that are irresponsible with cybersecurity quickly becomes bad business.
Custodians often respond to such events by conducting an extensive diligence on the wealth manager’s processes and cyber defenses as well as the amounts and terms of its cyber insurance. If any are found lacking, they will not hesitate to fire both the wealth manager and its clients as customers.
Similarly, they also evaluate the breached client’s personal cybersecurity, if for no other reason to protect themselves from potential liability. But, at some point, if too many of a wealth manager’s clients are breached—even if it is the fault of the clients and not the firm—the custodian will be forced to decide whether it is economic to continue to provide its services to that organization.
For example, a handful of not widely publicized instances occurred in which money was stolen from a client’s account and the custodian effectively fired the wealth manager. Letters were sent to both the wealth manager and its clients informing them that they needed to find another party to custody their assets.
Imagine having to explain to clients how your firm’s inadequate cyber security practices forced this change. Even more problematic, good luck finding a custodian to take your clients’ assets. For all its size, the wealth management industry is still a very small community and most custodial executives have at one point worked for their competition. Hence, they will invariably and quickly determine why a wealth manager is suddenly looking for a new custodian.
To be sure, all of this is risk-benefit calculation. Everyone and everything connected to the Internet, including cloud services, blockchain and even national security agencies such as the CIA and DOD, at some point get breached. Moreover, custodians recognize this is a risk of doing business. Hence, when evaluating a wealth manager’s cybersecurity, the goal is to estimate the likely frequency of such events as well as the potential resulting damage.
This said, as the level cybercrime rises over time—and it has increased by 600% since the onset of Covid and is expected to double again over the next three years—the calculus will change. Custodians will be forced to demand increasingly higher standards from the firms that they work with to offset the increased risk. And they will not only scrutinize wealth managers’ cyber defenses but also take a hard look at what they are doing to help their clients in this area.
In a survey at the most recent T3 conference, a staggering 75% of the responding wealth management firms indicated they do not use any outside technology to help manage their cyber risks. Clearly, being the compliance officer at one of these organizations must be one of the most stressful jobs in this industry.
Mark Hurley is the CEO of Digital Privacy & Protection.