The unexpected is what is most fatal in cyber. Target suffered one of the largest thefts of client information in history because of an HVAC repairman. Activision was breached this year because an employee clicked on a text message that compromised his personal device. And Reddit was breached after an attacker sent a series of plausible sounding prompts that directed employees to a fraudulent website that mimicked the company’s web portal.
None of these were direct attacks on a company’s cyber defenses. Instead, cybercriminals identified and exploited unexpected weaknesses. They also highlight why cybersecurity is an exercise in risk management and not risk elimination. It requires a layered protection strategy, with each layer addressing different points that humans intersect with technology.
This is the seventh article in a series that looks at wealth manager cybersecurity. It examines three additional layers of protection that every industry participant should consider as well as one common one that may be potentially less effective than expected.
Even after spending a great deal of money to upgrade company cybersecurity defenses and staff, every wealth manager will still have three key points of cyber vulnerability: vendors, employees and clients.
Any organization—ranging from attorneys to cleaning staff—that interacts with a firm or that has access to company offices creates potential points of entry for cybercriminals. Of course, vendor cybersecurity policies and procedures should be fully vetted. Regardless, none should ever be allowed to connect a device to company systems.
Additionally (and as described in an earlier article in this series, there is technology that enables anyone with physical proximity to devices to copy their memories. Consequently, no vendor should have access to those areas of company offices with devices holding sensitive information. However, it is also important to point out that such access controls are largely irrelevant if employees—and in particular, executives—continue to save passwords on Post-It notes on computers, in notebooks left on their desks or in the Notes section of their devices.
The lax personal online behavior of both employees and clients also creates countless opportunities for breaching wealth managers. For example, personal email accounts with weak passwords are easy to hack and can be used to generate phishing emails that are likely to be opened by company employees and that download malware in the firm’s systems.
Social media accounts with poor cyberprivacy are inviting because they do not have to be hacked. They have an immense amount of personal information that is out there for the taking. Cybercriminals use it to identify and target potential victims. They also download videos from them and with AI-software can clone voices and images that could be used to pose as either a client or an employee and generate fraudulent transactions. Indeed, cybercriminals have even posed as a company’s CEO using a cloned voice and directed the wiring of several hundred thousand dollars to a fraudulent third party.
Clients and employees who have homes with smart home technology (i.e., security cameras, smart light bulbs, smart coffee pots, virtual assistants, etc.) are likewise compelling targets for cybercriminals. This type of technology is often relatively uncomplicated to hack and should a single piece be breached, every other attached device—including work ones—is compromised. Once in, cybercriminals can copy passwords or infect every device with malware.
Indeed, it is baffling that many industry participants will invest so much on business cybersecurity while still ignoring the cybersecurity and cyberprivacy of both employees and clients. Adding these additional layers of security is neither complicated nor expensive and they eliminate multiple common avenues for being breached.
Unfortunately, many firms instead rely far too much on another type of protection—cyber insurance. Certainly, every company should have some level of cyber insurance. However, it is likewise important not to overestimate its value.
For example, cyber insurance policies often include specific exemptions for coverage. And the most common cause of cyber breaches—employee error—is usually explicitly excluded as a basis for a claim in policies.
Moreover, policies often include ambiguous language, providing the insurer a potential basis for challenging a claim. In one highly publicized case, the University of California system has been caught up in litigation with Lloyds regarding the interpretation of a policy involved in a $7 million claim.
Additionally, whether an insurer pays on any policy is a business decision. Challenging it can be costly and time consuming for the insured. A claimant may find themselves in the unenviable position of having to decide whether it should spend $2 million trying to collect on a $1 million claim or instead negotiate for the payment of a materially lesser amount.
More importantly, if a wealth manager needs to collect on a cyber insurance policy, it already has lost money and has been badly damaged. The only question is how much.
It has been breached. It has had to inform the SEC and clients. It also may now be subject to an enforcement action. By any measure, taking the necessary steps to reduce the likelihood and frequency of breaches will always have a much greater expected value.
This series of articles has looked at how cybersecurity is going to force wealth managers to change how they run their businesses. Costs are going to go up. Technology is going to be more difficult to use and less productive. And the SEC will be looming in the background waiting to sanction organizations that fail to adequately protect their cybersecurity.
Certainly, few industry participants will greet this news with enthusiasm. However, what is also certain is that those who accept and embrace what needs to be done will fare far better than those who wait for an adverse event.
Mark Hurley is CEO of Digital Privacy & Protections. Carmine Cicalese, COL, U.S. Army Retired, is senior adviser and partner at DPP.