Even worse, the bad guys are so sophisticated that not long ago they managed to get a client’s custodial account information.
They then called the client’s house, pretending it was a routine telemarketing call; the client picked up the phone and answered “yes” to several innocuous-sounding questions. What’s the harm, right? Well, the hackers tape-recorded the answers, then directed the custodian to wire $500,000 to a bank in Hong Kong. When the custodian called the client to confirm the wire transfer, the call was intercepted by the crooks, who responded to questions with the tape recordings of the client saying, “Yes. ... Yes.” It worked and ultimately cost the client $5,000 to get the money back.

But this cyber threat is not just limited to client assets. As wealth managers become bigger businesses, they too will become targets. Imagine if you came into your office one morning and you couldn’t access any client data, e-mails, phone numbers, financial plans or portfolios, nor your billing, compliance and personnel information. How could you function? And how long would it take to replace this information and what would you pay to get it back?

To prevent this from happening, wealth managers are going to have to change how they operate. First and foremost, they need to hire a sophisticated chief information security officer. But given that today there is a nationwide shortage of about 300,000 people with this expertise, filling this position is going to be expensive.

And if you thought dealing with a compliance officer was annoying, wait until you see the policies that a competent CISO (Chief Information Security Officer) is going to put in place. All client and company NPPI is going to be maintained on a separate set of computers that are disconnected from the internet, and access to them is going to be tightly controlled.

Employees are going to have one phone for work and another for personal use. Access to the firm’s information systems from home computers is going to be much more limited.

Likewise, expect to spend a lot of money on specialized legal advice because insufficient information security is a quick way to wind up getting a regulatory enforcement action. Firms are going to have detailed, written protocols and everyone in the organization is going to have to follow them to the letter.

Remember the big hack at Target that affected 40 million customers? The virus was accidentally let loose by a vendor installing a digital thermostat in the company’s computer system. Guess who is responsible if something like that happens to your firm?

To protect yourself, your CISO is going to have to audit your vendors’ information security policies and procedures—even those of small vendors such as the local tech guy who fixes your server. At some point, you may even have to ban vendors from bringing their cell phones into your offices (many military headquarters require something similar).