Many wealth managers mistakenly view cybersecurity as largely preventing outsiders from stealing client assets and information. However, insiders are a big—if not bigger—threat.
More specifically, it is much easier for employees to steal. Many have credentials that provide access to client information and custodial accounts. They also understand their employer’s business structure and procedures, allowing them to better cover their tracks. Additionally, they can sell stolen information for a lot of money. One client’s personal information is worth as much as $1,000 on the dark web.
Another equally dangerous insider threat is tied to what employees do inadvertently. A single employee who ignores company policies and procedures can undermine a firm’s cyber defenses. Additionally (as we will detail in a later article in this series), what employees do personally online away from work can create numerous opportunities to breach a wealth manager.
This is the fourth in a series of articles on wealth manager cybersecurity. It looks at what firms will need to do to protect themselves from insider attacks. Certainly, more than a few industry participants may be somewhat offended when we suggest that their employees (and even partners) pose a risk of data theft. Their organizations were built on trust. However, as they grow and experience greater employee turnover, the risk of such incidents increases geometrically.
Indeed, most employee data thefts take place when an individual starts a new job, leaves their current one or gives notice. There have even been instances of cybergang members becoming employees of companies that they hope to breach.
Like all other aspects of cybersecurity, protecting against either inadvertent or malicious insider data theft is risk management as opposed to risk elimination, and industry participants must balance security with functionality. The former is best managed through a combination of education, supervision and monitoring along with zero tolerance for failing to follow company cybersecurity policies. Unfortunately, this can be challenging because the biggest offenders are often senior management.
Protecting against malicious insider data theft can be best managed by following these five principles:
1. Limit access to information solely to those with a need to know. Aside from senior management and compliance staff, only employees who work with a client should be issued credentials to access that person’s information. This limits the amount of information a single employee can steal and it also has the added benefit of complicating the ability of outsiders who have breached the firm’s systems to steal large amounts of client data.
2. Limit access to those with a need to use. Although employees need to access the custodial accounts of clients they work with, the ability to initiate transactions should be limited to a small number of authorized individuals. This safeguard not only reduces the risk of a rogue employee stealing money from a client account, it also prevents cybercriminals who have breached the company’s systems from likewise doing so.
3. Control where and how data is stored. Ideally, most client data should be stored in the cloud and not on devices. Cloud data storage companies have layers of cybersecurity, making them much harder to hack than wealth management firms. Additionally, should a cloud provider be hacked, and client data stolen, the financial and regulatory liability for the wealth manager involved is likely a fraction of that of an incident when it is solely responsible for a breach.
Granted, some client information must be stored on devices at different points in time. However, it should be minimized and, when no longer needed, erased from the device. Similarly, all passwords and credentials should be stored in a password manager and not a device and the password manager’s passcode should be memorized by its user.
4. Control access to where devices with information are located. Cybercriminals do not have to access a device to steal its information. Rather, technology has existed for a long time allowing anyone—including employees, vendors and even clients—who is proximate to copy a device’s memory.
Hence, devices with sensitive information should be kept in separate rooms with controlled access. They also should be stored using a Faraday cage, a shielding device that makes it much harder for someone proximate to copy their data.
However Israeli scientists recently found a way to defeat a Faraday cage by using devices infected with malware. They not only copy data but also automatically export it. Consequently, individuals working with devices that have sensitive information should be barred from bringing other devices into the room.
5. Limit the ability to download information to those with a need to provide. Client information should only be downloaded when provided to clients. Employees can complete their work online without downloading it and placing it at the risk of theft.
More importantly, only trained senior client team members should be issued the necessary credentials to download client data, only for those clients who they work with and only for one client at a time. Downloads should also be limited to either pdf or printed form. Lastly, the company’s systems should both record the authorizing employee for each download and alert senior management of any instances of unusually large or atypical data downloads.
Certainly, each of these principles creates new burdens for wealth managers, increases costs and reduces productivity. Hence, every firm must find a way to balance protecting itself with its ability to make money.
That said, a recent study found the average cost of an insider data theft now exceeds $15 million per incident. Wealth managers must decide whether they want to pay less now or a lot more later.
Mark Hurley is CEO of Digital Privacy and Protection (DPP). Carmine Cicalese, COL, U.S. Army Retired, is senior advisor and partner at DPP.