Organizations working with groups such as family offices spelled out approaches required to foil an alarming trend in cyber-attacks.

Computer users today must embrace the idea of proving identities in different ways to beat cyber-threats. They must also be ready to adopt ploys such as a “credit freeze” when trouble comes, specialists in the field say as the industry continues to digest the massive Equifax breach. And if one farms out data management to a third party, it doesn’t shift the center of blame in the event of a breach, they say.

And these points particularly apply to wealth managers and their clients because criminals trawl the cyber-oceans systematically for wealthy persons. Indeed, the idea that a discreetly-run private client account or family office will be safer than a more public entity isn’t justified, practitioners tell Family Wealth Report. 

As shown in a recent conference held by FWR in New York City, organizations such as family offices should now be in no doubt how high the stakes are. A couple of weeks before the conference was held in
Manhattan, credit-reporting firm Equifax reported a breach, with 143 million clients said to be affected. The firm’s chief executive at the time, Richard Smith, resigned and received no bonus. Other breaches at internet giant Yahoo">Yahoo, or US-listed bank titan JP Morgan, have underscored how dangerous the environment now is. Even organizations such as the Internal Revenue Service have been hit.

One way to foil hackers is through what is called multi-factor authentication, or in plain language, using different ways to prove an identity, such as with a number, fingerprint, retinal scan, date of birth or other indicator. “If you don’t give at least two factors, for example, you’re at risk,” Justin Kapahi, VP of Solutions & Security, External IT, told FWR in a call. The firm describes itself as a “secure digital hub for financial professionals”. It is based in New Jersey. 

Another point, Kapahi said, is that it makes more sense in security terms for firms, such as RIAs and family offices, to outsource their data management to professional outsiders via the cloud rather than doing so via ad-hoc internal systems, as the former have more resources and people to protect information. But outsourcing of data management doesn’t remove responsibility from the client firm for choosing providers able to perform the task properly. “The outsourcers of IT don’t wash their hands of these issue. Ultimately it is their data,” he said. 

“If you outsource to the wrong people and don’t know what they are doing, you could be in trouble. There are a lot of Mickey Mouse vendors out there,” he said. Asked if family offices are still naïve about the threat, Kapahi demurred, saying he has seen plenty of such organizations reach out for advice and help. 

Education of clients, staff and third-party providers and contractors about vulnerabilities is an essential take-home point from the Equifax breach, Chris Kerins, chief technology officer at RobustWealth, also told FWR. RobustWealth is a fintech firm – also based in New Jersey, like External IT. 

Getting chilled
One idea a person can embrace if there is a data breach is a so-called credit freeze, sometimes also called a security freeze, Kerins said. “A credit freeze in a case like this [Equifax] is probably the best bet,” he said. A credit freeze is a tool that allows a user to restrict access to his or her credit report, which in turn makes it more difficult for identity thieves to open new accounts in a person’s name. Such freezes don’t affect a user’s credit score (a vital point) and don’t prevent users from obtaining a free annual credit report.

Actions such as freezes might be necessary as so much data is not actually given willingly by individuals to entities that have been hit, but taken by tax collectors and other government agencies, often in ways that the public doesn’t appreciate. 

Kerins said that most of the 143 million affected users of Equifax services will not have consented to the private companies passing personal data to such firms. 

RobustWealth recently tested the credit-freeze ploy with a custodian bank to show how it can stop data getting into the wrong hands.

There’s definitely a need to educate people more about the threats out there, he said. 

One issue also is the growing use of mobile devices that people have come to expect to use for financial services as a matter of course, he said. 

“Most people just assume there is some security out there,” he said. 

In some ways, small startup financial organizations have an edge over established ones because there isn’t the challenge of wrapping a cyber-security system around an old, legacy system. A new firm can start with a clean sheet of paper, he said.