Physicians refer to sudden cardiac arrest as the “silent killer.” Someone’s life is just going along nicely, then out of the blue, they start feeling poorly, and within an hour or two they are dead. For the majority of the 350,000 people who die from it annually, their first noticeable warning is death (Source: American Medical Association).
Wealth management firms possess some of the world’s most stable financial services businesses, enjoying some of the highest retention rates in any industry. Clients retain their advisors for decades because the trust they place in their advisors to take care of them, to protect their wealth and to always put their interests first. But unbeknownst to most wealth managers, they too face a lurking potential silent killer.
More specifically, a standard aspect of most custodial agreements is that they shift the risk of cyber theft to clients, effectively leaving it to the custodian’s discretion to reimburse any losses should their account be breached, or their money stolen. One such agreement shields the custodian from any liability unless the theft occurred because of “no fault” of the client. Another makes the client “solely responsible for safeguarding and keeping confidential [their] password and user IDs” and the custodian is “not liable for any loss or damage that occurs via the use” of the client’s password and/or user ID.
Furthermore, there is a similar—albeit not widely known—bargain with banks. Many people falsely assume that bank accounts are protected from cybertheft because of deposit insurance. However, typical online banking agreements are also very one-sided and transfer the risk to account holders if they are at all at fault for cyber theft.
To be fair, custodians and banks must insist on such terms. They would be insane to bear the risk of cybertheft given how sloppy and reckless so many people are online. Countless individuals use the same or similar passwords for each of their online accounts. Few engage the available privacy and security settings on their devices or online accounts. Many even regularly use public Wi-Fi without any protection. And nearly one million passwords per week are compromised (Source: SECplicity).
Unfortunately, most wealth managers also are unaware of the bargain that their clients must agree to with custodians and banks, even though they often recommend which ones to use. Indeed, many advisors have never bothered to even read the agreements.
Against this backdrop, if you are an advisor, try and imagine a client’s reaction if an account is hacked, and money is lost. How do you explain to clients that they assumed this risk when they signed up, especially if you never bothered to mention it to them? Moreover, if you knew that this risk existed, why didn’t you at least try and help protect them?
So much for the idea that they can trust their wealth manager to always look out for their best interests. The money is gone and there is nothing that can be done about it. Good luck keeping the client. The same with the many other clients who learn what happened, especially given the likely resulting publicity from the inevitable lawsuit. Moreover, when a cyber attack occurs, there are usually multiple victims. If they happen to be clients of the same firm, the legal, financial and reputational damage is magnified.
Equally problematic, custodians are likewise not liable should cybertheft result from a wealth manager being breached. That is a matter between the firm and its client. If a firm is breached and money is stolen from client accounts, it is on the wealth manager.
How many firms have ever disclosed this to their clients? Most have no idea that this risk even exists.
Certainly, large numbers of industry participants carry some sort of cyber insurance. However, the policies almost invariably have exclusions from losses resulting from the gross negligence and/or willful misconduct of the wealth manager and its key employees.
More simply stated, should someone at a firm make a single exception to the company’s cyber policies and it results in a breach that causes a loss of client assets, it is effectively uninsured. The breach could result in the theft of millions of dollars from multiple client accounts. While scrambling to raise the capital, good luck explaining what happened to clients—as well as to the SEC.
All of this points to why the owners of wealth managers need to wake up to the silent killer threat that cyber poses to their organizations. At a minimum, every industry participant needs to disclose and educate their clients about the bargain that they are agreeing to with their custodians and banks as well as with their advisor.
Finally, because a breach can severely damage a firm even if it was caused by the client’s and not the advisor’s actions or negligence, wealth managers have an overwhelming self-interest in helping clients better understand and manage their cyber risks. How clients operate online is their own business. But when their behavior creates significant risks to businesses that wealth managers have spent decades building, they have no choice but to get involved.
The SEC estimates 75% of all wealth managers have already been targeted in a cyberattack. Seventy five percent of participants surveyed at the most recent T3 conference admitted doing next to nothing about cybersecurity. At the same time, cybercrime is forecasted to double again in the next three years (Source: Surfshark, CloudDB, Cybersecurity Ventures, Cybercrimemagazine). At this rate, the industry may soon look like a hospital cardiac unit.
Mark Hurley is CEO of Digital Privacy and Protection (DPP). Carmine Cicalese, COL, U.S. Army retired, is senior advisor and partner at DPP.