Physicians refer to sudden cardiac arrest as the “silent killer.” Someone’s life might be going along nicely, but then out of the blue they start feeling poorly, and within an hour or two they are dead. For the majority of the 350,000 people who die from it annually, their first noticeable warning is death.
Wealth managers don’t know it, but they also face a lurking potential silent killer, a hidden risk of harm they likely weren’t thinking about, and it involves cybersecurity and custodial and broker-dealer agreements.
A standard aspect of most of these agreements is that they shift the risk of cyber theft to clients, effectively leaving it to the custodian’s discretion to reimburse any losses if their accounts are breached or their money stolen. One such agreement shields the custodian from any liability unless the theft was specifically “no fault” of the client. Another makes the client “solely responsible for safeguarding and keeping confidential [their] password and user IDs” and the custodian is “not liable for any loss or damage that occurs via the use” of the password or ID.
There’s a similar bargain—albeit not widely known—with banks. Many people falsely assume that bank accounts are protected from cyber theft with deposit insurance. However, typical online banking agreements are also very one-sided and transfer the risk to account holders if they are at any fault themselves for what happened in a cybercrime.
To be fair, custodians and banks must insist on such terms. They would be insane to bear the risk of cybercrime when so many people are sloppy and reckless online. Countless individuals use the same or similar passwords for their different online accounts. Few engage the available privacy and security settings on those accounts or on their devices. Many even regularly use public Wi-Fi without any protection. And nearly one million passwords per week are compromised, according to the cybersecurity website Secplicity.
Unfortunately, most wealth managers also are unaware of the bargain that their clients must agree to with custodians and banks, even though they often recommend which ones to use. Indeed, many advisors have never bothered to even read the agreements.
Against this backdrop, if you are an advisor, try and imagine a client’s reaction if an account is hacked and money is lost. How do you explain to clients that they assumed this risk when they signed up, especially if you never bothered to mention it to them? Moreover, if you knew that this risk existed, why didn’t you at least try and help protect them?
Our business is built on trust. Wealth management firms are some of the world’s most stable financial services businesses, enjoying some of the highest retention rates in any industry. Clients retain their advisors for decades because of the trust they place in them to protect wealth and to always put client interests first.
But good luck keeping a client if their money is gone and there is nothing that can be done about it. The same goes for other clients who learn what happened, especially if there’s publicity from an inevitable lawsuit. Moreover, when a cyberattack occurs, there are usually multiple victims. If they happen to be clients of the same firm, the legal, financial and reputational damage is magnified.
Equally problematic is the fact that custodians are likewise not liable if a cyber theft results from a wealth manager being breached. That becomes a matter between the firm and its client. If a firm is breached and money is stolen from client accounts, it is on the wealth manager.
How many firms have ever disclosed this to their clients? Most have no idea this risk even exists.
Certainly, large numbers of industry participants carry some sort of cyber insurance. However, the policies almost invariably have exclusions from losses resulting from the gross negligence or willful misconduct of the wealth manager and its key employees.
More simply stated, should someone at a wealth management firm make a single exception to the company’s cyber policies and it results in a breach that causes a loss of client assets (when millions are at stake), that breach is effectively uninsured. Good luck explaining what happened to clients—as well as to the SEC.
All of this points to why the owners of wealth managers need to wake up to the silent killer threat that cyber poses to their organizations. At a minimum, every industry participant needs to disclose and educate their clients about the bargain that they are agreeing to with their custodians and banks as well as with their advisors.
Finally, because a breach can severely damage a firm even if the intrusion was caused by the client’s negligence or action (and not the advisor’s), wealth managers have an overwhelming self-interest in helping clients better understand and manage their cyber risks. How clients operate online is their own business. But when their behavior creates significant risks to businesses that wealth managers have spent decades building, advisors have no choice but to get involved.
The SEC estimates 75% of all wealth managers have already been targeted in a cyberattack. Seventy-five percent of participants surveyed at the most recent T3 conference admitted doing next to nothing about cybersecurity. At the same time, cybercrime is forecasted to double again in the next three years (according to various sources). At this rate, the industry may soon look like a hospital cardiac unit.
Mark Hurley is CEO of Digital Privacy and Protection (DPP). Carmine Cicalese, COL., U.S. Army retired, is senior advisor and partner at DPP.