Cyber threats and what wealth managers will have to do to respond to them will soon increase costs, lower productivity and annoy owners and employees in ways currently unimaginable. Industry participants will be forced to shift to closed systems that are accessible to only company-owned and managed devices. Information technology staffing will need to be much greater. And personal devices will be able to access only work email and only under certain circumstances.
Sound far-fetched? This is the world that every major accounting and law firm currently lives in. They handle some of their clients’ most important and sensitive information and there are cybergangs throughout the world constantly trying to steal it. And guess who else handles some of their clients’ most sensitive and important information that cybercriminals would love to get their hands on? Wealth managers.
This is the third in a series of articles that look at wealth manager cybersecurity. It examines the steps that industry participants will have to take to prevent outsiders from stealing client information.
Cybercriminals are after it because it can be used to steal identities. Identity theft is a $52B annual revenue business that impacts 42 million Americans each year and involves the theft of credit, healthcare insurance and tax returns.
Unfortunately, protecting client information is particularly challenging because it can be accessed through company systems and there are numerous ways of breaching them, even if information is stored in the cloud. A common tactic involves using malware—malicious software that gets behind cyber defenses, exports information and takes control of systems. Although anti-virus software can at times block it, there is a constant arms race between the criminals who develop new forms of malware and those who write the software to defeat it. Sometimes malware wins, circumvents a system’s defenses, and begins exporting information.
Every device connected to a network can potentially infect it and every other attached device with malware. It could be at work through a phishing email or smishing text or on a home network. Criminals also insert malware onto even briefly unattended devices by downloading apps onto them called “Trojans” that look legitimate but contain malicious code.
The only way to prevent a network from being infected is to limit the devices that can access it. Major law and accounting firms typically allow only company-issued laptops to connect with their networks and only under certain circumstances. The devices are “locked-down”—i.e., have security settings and layers of cybersecurity software that can make the device so cumbersome that at times even it cannot access company systems.
Consequently, these organizations require much larger information technology teams to be able to continue to function. The IT staff must be available day and night, capable of quickly fixing or replacing company-owned devices, and adept at handling extraordinarily annoyed fellow employees.
To be sure, employees often may also access their work email using personal devices. However, they are not allowed to access other company systems and passwords along with multi-factor authentication are required to get in.
The other way to breach company systems is to steal the necessary credentials. This is often relatively easy because so many employees are reckless online away from work. And the only effective way to prevent credential theft is to require that all company-related passwords be stored in a work password manager that can only be accessed using a company-owned device.
Cybercriminals constantly innovate and notwithstanding these measures, even major law and accounting firms are still occasionally breached. Thus, an equally important layer of cyber protection involves limiting individual employees’ access to data and their ability to download it. Doing so effectively compartmentalizes the information by requiring different credentials to access different portions of it. This, in turn, forces cybercriminals to separately hack into each section and significantly limits the data lost from a single breach.
For many wealth managers, the idea of having to function using such a structure may sound a bit outlandish, even absurd. At a recent T3 conference, 75% of firms surveyed admitted to doing next to nothing to enhance their cybersecurity. Moreover, those industry participants with stronger cybersecurity typically rely on managed security service providers (MSSPs). MSSPs install security software on certain devices, provide an additional firewall to block access to company systems and provide software designed to trigger alerts when information is exported.
Although these measures provide some protection, both law and accounting firms have painfully learned that they are not as robust as closed systems. Many have suffered the loss of large amounts of client information that has cost them tens of millions of dollars.
Sadly, this pattern is likely to repeat itself with wealth managers. Most industry participants will not take the necessary, painful measures to protect client information until only after some of their competitors have been breached and had client information stolen. Then what will follow will be a race to upgrade their cyber defenses before they too suffer such an outcome.
Their less fortunate peers will likely quickly learn that many cyber insurance policies are uncollectible. They likely also will experience the joy of being hit with an enforcement action that they will be required to share with every current and potential client for the next 10 years.
Mark Hurley is CEO of Digital Privacy and Protection (DPP). Carmine Cicalese, COL, U.S. Army Retired, is senior advisor and partner at DPP.