A few months ago, the SEC fined St. Louis-based R.T. Jones Capital Equities Management for failure to implement and update a written cybersecurity policy. Hackers attacked the RIA in 2013, exposing the personal information of about 100,000 individuals, including thousands of the firm’s clients. R.T. Jones paid a $75,000 penalty for failing to conduct periodic risk assessments, set up a firewall, encrypt personal information stored on its server or maintain a response plan for cybersecurity incidents. The firm is the first RIA to be sanctioned by the SEC for a cybersecurity breach.

“The auditors and regulatory agencies are screaming from the mountaintop, but I’m not sure that a lot of advisory firms believe this threat is real. Only about 20% of all cyber-attacks are even identified. Attackers may be collecting information and firms might never know it,” says Stillman. 

In February 2015, the SEC assessed data security at 57 registered broker-dealers and 49 RIAs. Most of the broker-dealers (88%) and RIAs (74%) said that they had been subjected to cyber-attacks directly or through one or more of their vendors.

The bulk of the incidents involved malware and fraudulent e-mails. Over half of the broker-dealers (54%) and just under half of the RIAs (43%) said that they received fraudulent e-mails seeking to transfer client funds. One-quarter (25%) of the broker-dealers that experienced losses involving fraudulent e-mails said that employees caused the losses by failing to follow the firms’ identity authentication procedures.

A statement by the Federal Financial Institutions Examination Council issued in November warned financial institutions about the increasing frequency and severity of cyber-attacks involving extortion of payment in return for the release of stolen data. Cyber-criminals use a variety of tactics against financial institutions, including ransomware, denial of service attacks and theft of confidential business and client information (see sidebar) to extort money from victims, according to the statement.

Even lawyers are being targeted.

“A lot of law firms are being hacked that don’t necessarily fall into the family office space directly, but they’re corporate counsel for lots of different organizations,” says Paul Dyer, CEO of Glenburn, Maine-based United Cloud Partners Services, which provides private IT, marketing and compliance tools for the financial services industry.

Cyber-attacks against law firms are on the rise because hackers increasingly view attorneys as backdoors to the potentially lucrative data of their clients. Eighty percent of the country’s top 100 law firms by revenue have been hacked since 2011, according to Alexandria, Va.-based security consulting firm Mandiant. Sophisticated and well-funded hackers are targeting law firms to obtain information about clients’ financial assets, trade secrets, joint ventures, pending mergers and litigation strategies.

Staying Safe

The average cost of a data breach in 2014 was $3.5 million, up 15% from 2013, according to a report last year by Silicon Valley Bank. While a multimillion-dollar loss would likely be troubling to most family offices, exposure of non-financial information could be devastating to individual family members, as well as the entire family.

Private banks and RIAs may have significant financial data on their clients, but they typically don’t possess the kind of detailed personal information that a family office does, such as electronic appointment calendars, medical records, tax returns, makes and models of vehicles and locations of vacation homes.

“Personal safety is one of the risks an ultra-high-net-worth family has to worry about. For example, if somebody hacks into an iCloud account and obtains their physical location, it puts their physical security at risk,” says Dalva.

The exposure of private information and reputational damage could also be costly, especially if knowledge of the breach becomes public. Once lost, the trust of other family offices and business partners is difficult to regain.

To protect families, Dalva recommends that family offices start by having independent cybersecurity assessments performed on both the family office and each family member. The assessments should first focus on identifying likely “threat actors.” That information is then used to understand and rank the vulnerabilities those criminals could exploit to compromise the data of that specific family office.

Cybersecurity experts say family offices face four main types of threats:

  • Organized criminals who focus on monetary gain.
  • Competitors who seek an economic advantage by obtaining confidential information about a family’s business activities and relationships with customers, partners and suppliers.
  • “Hacktivists” who attack to promote a political or ideological agenda, by pressuring a family to support human rights or divest from fossil fuels, for example.
  • Employees or other insiders who misuse legitimate access to systems, intentionally or unintentionally.

After conducting an assessment, Dalva says the next step is to develop a “remediation road map” that may include changing people’s behavior, implementing new policies and procedures, altering the technical environment and training family members and family office staff on cybersecurity.

Smart Strategies

When it comes to family office cybersecurity, dumb may be the new smart.

Rather than relentlessly updating software and hardware in legacy systems, most cybersecurity consultants recommend that family offices embrace outsourced, private, cloud-based security and regulatory compliance solutions provided and managed by experts who perform functions similar to in-house IT departments.

In such an environment, users log in to a portal, through which they access all their data and software applications on “dumb” devices that contain no data or software programs. Because the devices used to access the portal to the cloud, such as laptops and cell phones, contain no data or software, there’s little risk to a family office’s private information if the devices are lost or stolen. (Family offices and advisors should note that there are many cloud-based solutions on the market and not all of them are truly secure.)

Dyer likens cloud computing to old-fashioned mainframe computing in the 1970s. “There’s no magic in what a cloud is. It’s a mainframe. It’s just that in the ’70s, when I had a dumb device at my desk, there was a cord that had to connect that dumb device to the mainframe. Now we don’t have cords,” he says.

Cloud-based solutions typically provide strong access controls to networks; device and e-mail encryption; anti-virus, anti-malware and anti-intrusion protection; software, such as Microsoft Office applications; continuous data backup; 24/7 help desk access; training; and written policies and procedures on cybersecurity. These solutions typically cost $200 to $250 per user per month.

Storing software programs and data in the cloud reduces the need to monitor and secure individual devices in the modern BYOD (bring your own device) workplace. Instead of giving employees log-in credentials that allow them to access their employer’s network directly from any device (secure or not), secure-private-cloud-based solutions push everyone through a single, safe portal.

“It is impossible to manage all the devices that employees might use if they have user ID and password access to web-based applications. Once they have that credential, they can go to any device and use it. There is no way that an employer can manage all those devices,” says Stillman.

While family offices should focus most of their resources on secure computing, they need to pay some attention to contingency planning in the event that a breach occurs. A swift response is often crucial to preventing further financial, privacy and reputational damage.   

Should disaster strike, general cyber-insurance can help cover losses from incident response, business disruption and damage to IT systems. Insurance carriers that provide kidnap, ransom and extortion policies sometimes offer protection against cyber-extortion. Many also sell policies that cover fund transfer fraud. As with all policies, cyber-insurance excludes some losses. Most policies bar coverage for monetary damages caused by unencrypted data or by the policyholder’s failure to reasonably maintain computer systems and update software.

But Dyer cautions that insurance should never be used as a first line of defense. “The way that most broker-dealers, RIAs and smaller family offices seem to want to deal with the hacking issue is simply to insure for it, rather than adopt a true prevention plan with insurance as the backup. That’s the wrong approach. They’ve got to put their money, time and mental energy into closing the loopholes and not being hackable,” he says. 

Just a year or two ago, the top concern for most advisors and their family office clients would probably have been the safety of, and return on, investments. Few would likely have mentioned cybersecurity.

Dyer says he’s now seeing a shift in attitudes. “Once the government got hacked and the Heartbleed bug happened, people started to realize, it isn’t a matter of if we’re going to get hacked. It’s a matter of when is it our turn, if we don’t get totally proactive,” he says

Tech Talk

Criminals are primarily using three types of cyber-attacks against financial institutions.

Ransomware typically infects computers through deceptive e-mails or malicious websites, which mimic legitimate communications or organizations. The software then encrypts the data on the target computer, making it inaccessible until the victim pays the cyber-criminal to unlock the information. Once payment is received, there’s no guarantee that the criminal will decrypt the files. Even if the files are unlocked, the computer could be infected with additional ransomware. Ransomware attacks grew 113% in 2014.

Denial of service (DoS) attacks prevent legitimate users from accessing computer systems. Criminals typically flood systems with illegitimate requests, temporarily shutting down websites, then demand payment from victims to halt the attack or prevent additional attacks. If hackers block customers or employees from accessing systems, a financial institution’s reputation could be adversely affected and the organization could incur substantial operational and recovery costs. Sixty percent of organizations were affected by a DoS attack in 2013 and 87% were hit more than once.

Theft of sensitive or confidential business and client information may be carried out by cyber-criminals who want to extort money, or by hacktivists who seek to pressure an organization to undertake, or avoid, a particular activity. The release of sensitive or proprietary information could harm a firm’s reputation or competitive advantage. In 2014, cyber-crooks stole epic amounts of private data by direct attacks on institutions such as banks. The number of breaches increased 23% over 2013 and attackers were responsible for most of these infiltrations.

Sources: Federal Financial Institutions Examination Council, Joint Statement: Cyber Attacks Involving Extortion, November 2015; Symantec Corp.’s “Internet Security Threat Report,” April 2015.

First « 1 2 3 » Next