Cyber threats and what wealth managers will be forced to do about them will disrupt the industry in ways that are hard for many participants to fathom. Quite candidly, most firms currently are largely somnambulant about these risks. Many have done little to protect themselves and even the industry’s currently best prepared participants are unaware of the scope of the additional changes and measures that they will need to implement to protect themselves and their clients.
Wealth management firm cybersecurity will soon be comparable to that of major law firms and the Big Four accounting firms. It will be expensive and cumbersome and unlike other business investments, will reduce rather than enhance productivity and profitability.
Industry participants will also find that they are in a different regulatory environment. They will have to disclose their cyber risks and what they are doing to address them. And if breached, they will be required to self-report to the SEC and disclose what happened and why to every current and future client.
This is the first in a series of articles that will examine the nature and size of the cyber threats to wealth managers, the specific steps that industry participants will be forced to undertake and the risks that they will have to manage. This article looks at the external threats.
Cybercrime will soon be a $10.5T global business, larger than the sale of all illegal drugs worldwide, combined. The first step in protecting oneself is to understand who the bad guys are, their economics and how they choose targets.
Cybercriminals generally operate as part of one of two types of enterprises. The first are cybergangs located in countries such as China, Russia, Iran and North Korea. They are large businesses that need to steal significant amounts of money just to cover their operating costs.
Their leadership often includes military cyberwarfare and intelligence officers who moonlight as cyberthieves. They are extremely sophisticated and have been able to breach cloud services and blockchain and even the DOD and CIA. They are so capable that it is no longer a question of whether everyone and everything online can be breached, but rather how frequently and how much damage will accompany a breach. Indeed, cybersecurity is a process of risk minimization and not risk elimination.
There are also numerous smaller cybercrime enterprises located in nearly every country, including the United States. They range from individuals to teams of criminals and while technically proficient, they lack the infrastructure and processing power of their nation-state backed counterparts. They also are typically not vertically integrated businesses and mostly profit from selling stolen information for relatively small amounts of money to their larger counterparts on a part of the Internet known as the “Dark Web.”
Both types of criminal enterprises focus their efforts on organizations with weak cyber defenses or on individuals and vendors with poor cybersecurity with which the targets must interact. And just as sharks repeatedly return to parts of the ocean where they have found a great deal to eat, cybercriminals also consistently return to those types of business from which they have been able to steal something of material value.
They have had immense success targeting law and accounting firms. For example, information stolen in cyberattacks against Cravath Swaine & Moore and Weil Gotshal & Manges was used as part of a multimillion-dollar insider information trading scheme, Cadwalader, Wickersham & Taft had its email system held ransom by hackers last year and Uber client data was stolen when Genova Burns was breached. Deloitte was breached and had confidential client information stolen in 2016, Bansley and Kiener is a defendant in a class action lawsuit resulting from the cybertheft of client healthcare data and a recent breach of Harding, Shymanski & Company led to a series of fraudulent tax returns being filed on behalf of clients.
Unsurprisingly, many such organizations are now investing millions of dollars upgrading their cyber defenses, making them hardened, less attractive targets. Cybercriminals recognize this and are shifting accordingly to softer ones such as wealth managers.
Indeed, the SEC reported that 74% of industry participants examined have already been targeted in an attack. The number and scope of such attacks are almost certain to increase because many firms have weak cybersecurity despite having access to billions of dollars of liquid financial assets in client accounts as well as large amounts of personal client information.
Wealth managers typically are authorized to direct that money be wired out of the client accounts to third parties. Consequently, either breaching a wealth manager’s systems or duping it into incorrectly believing that a client wants assets sent out of their account creates an opportunity to steal money.
Client information is in some ways equally valuable because it can be used to steal identities. Fifty-two billion dollars is stolen each year in the United States through identity theft, victimizing nearly 42 million Americans. Stolen identities are used to purloin credit, health insurance and tax returns.
The theft of either is a disaster for the wealth manager involved. It is financially and regulatorily liable for any stolen funds and information. Although it may have cyber insurance, such agreements are often difficult to enforce. It is also obligated to inform its clients and, under proposed rules, also the SEC. As we will expand on further later in this series, it is also at great risk of an enforcement action.
The late, great Kurt Cobain once said, “Just because you are paranoid, it doesn’t mean they are not out to get you.” You are not being paranoid if you think cybercriminals are coming after your firm.
Mark Hurley is CEO of Digital Privacy and Protection (DPP). Carmine Cicalese, COL, U.S. Army Retired, is senior advisor and partner at DPP.