Keeping Cybersecurity Sharp As Risks Evolve

Tom Burroughes Group Editor London April 21, 2022

Keeping Cybersecurity Sharp As Risks Evolve

We talk to a cybersecurity expert in the US about the threats the wealth management sector faces, what can be done and what are the smart ways to keep criminals and related attackers at bay.

The  trend of working from home, the digitization of work processes and Russia’s invasion of Ukraine help fuel cyber attacks. They continue to rise, putting wealth managers in the cross hairs.

More than 22 per cent of family offices in North America experienced a cyber attack, according to the UBS Global Family Office Report in 2019. Another study, by Northern Trust in 2020, found that almost 60 per cent of the 78 global family offices surveyed said cybersecurity topped their list of late-night worries, with 96 per cent of respondents having experienced at least one cyber attack. Private banks and other wealth management models are likely to have similar concerns. After all, thieves go after where the money is.

High-profile attacks on a range of targets, such as the US Colonial Pipeline attack in May 2021, which interrupted fuel supplies for days, keep cybersecurity in the frame. Protection against attacks is now big business: The global cybersecurity market was expected to grow from $183 billion in 2019 to $230 billion in 2021, at a compound annual growth rate of 12.0 per cent, according to UK-based Rothschild & Co. Strikingly, it said: “The average number of cybersecurity breaches has doubled in the past year and around 50 per cent of computers that were infected once were re-infected within 12 months. The cost of cyber attacks is set to reach over $10.5 trillion by 2025. Compared to 2019, 2020 saw a +358 per cent increase in malware and +435 per cent increase in ransomware attacks, with 59 per cent of organizations experiencing a material breach in the last year.”

Brian Edelman, the chief executive of FCI, and a cybersecurity expert, knows full well how vulnerable businesses are, and what’s at stake. FCI, based in the US, is an “automation platform for compliance and protection,” he told Family Wealth Report in a recent interview.

Cyber attacks are getting larger and more serious because attackers are becoming better and faster at exploiting vulnerabilities. It is important for advisors to family offices to talk to their clients about security and important for family members to do so, he said. “It has become a component with working with wealthy people.”

An important point is that it is necessary to know that people who say they are taking care of security do what they say they are doing. Otherwise, all the processes in the world won’t make a difference. 

“One of the biggest challenges in security assessments is in trusting that the firm is indeed secure. No longer about attestation…about trust and verify…..when you show me the assessment, show me that it came up clean,” Edelman said. 

Wealth managers and bankers must understand that insurance companies are becoming more mature at assessing cybersecurity and pricing and insuring the risks. If insurers can prove that people did not use multi-factor authentication, and other steps, then they won’t pay out, he continued. 

Attacks keep the issue hot. For example, within areas such as private equity – an important wealth management asset class – a US firm was hit by the DoppelPaymer gang and a French business was hit by Maze, another group. Both cases involved the exfiltration of sensitive data from the victims’ networks prior to the encryption of their files.

Three approaches
Edelman argues that there are three broad ways that firms approach cybersecurity. 

“There is the one type who had a bad experience both personally and professionally. There is urgency….behind them in their concerns,” he said. Another group know there is a problem and want to understanding cybersecurity more…"They are much more proactive”. 

A third group doesn’t think that they are going to get caught, he continued. 

FCI has built a business helping firms handle cybersecurity. In wealth management, it serves entities such as financial planners, RIAs, custodians, branches and funds; while in insurance, it covers general agencies, brokerage general agents and brokers; and in banks it works with mortgage bankers, brokers, credit unions and the retail side.

So what’s FCI up to?

“We are emphasizing our Co-Managed Cybersecurity solution to larger firms in the financial services industry,” Edelman said. “With larger firms that have complex environments, there can still be gaps in cyber programs and tools. The management teams are involved with internal IT teams and often with third-party MSPs [managed service providers]. Cybersecurity expertise is typically limited. FCI offers a co-managed security solution that augments and adapts to teams, skill sets and tools already in place with increased IT access and shared visibility into security operations.”

“We are co-managing cyber environments with several Tier 1 firms with great success because of deeper education and collaboration. We test and manage the client team resources so they learn how to effectively set controls, how to work with regulators and insurers and understand compliance as it applies to security,” he said. 

Edelman said cybersecurity audits are essential. 

“There’s so much to learn in cyber and it’s a shifting landscape with new threats – it’s hard for enterprises to stay on top of everything in this domain. This is FCI’s sole mission. We leverage automation and native system settings to secure devices. Because FCI leverages agentless scanning tools there is also never a device or network put at additional risk during the security scanning process,” he said. 

“We are spreading the word about taking a holistic view of cybersecurity. It’s easy for firms to get caught up with the latest shiny object in the room (fixing the threat of the moment like ransomware, encryption, etc). We take a decentralized, utilitarian approach that has built-in checks and balances for all types of threats. Because of this integrated best-of-breed offering, redundancy is automatically built into the system. If any one system is attacked, other systems in this NIST-based ecosystem can detect what’s happening. If you use one system for everything, there’s a risk these checks and balances won’t be in place,” he said. 

(“NIST” refers to National Institute of Security Standards. This body develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of US industry, federal agencies and the broader public.)

US authorities are turning up pressure on firms to guard against threats. The Securities and Exchange Commission, for example, has issued guidance, supported by the Financial Industry Regulatory Authority, stating: “Under the SEC’s Regulation S-P, firms are required to have policies and procedures addressing the protection of customer information and records.” This includes identifying and blocking the transmission of sensitive data (e.g., account numbers, social security numbers, trade information, and source code) from leaving the organization.

What sort of threats are growing the fastest?

“In the old days it was malware. Today, end users allowing short periods of access that give bad actors a world of control happens more and more often. This could be from an employee letting their guard down or a bad actor gaining direct access to leverage data to extort money – or ransomware to hold the firm hostage. This is `data extortion’ from the use of common systems which is why we enhanced our offering in this area. That said, threats are a moving target so we keep our eye on all new forms of incidents and breaches,” Edelman said. 

Social media use is a constant point of vulnerability. 

“[The] bottom line is that the more someone knows about you, the easier it is to engineer a social engineering attack. Spearfishing and social engineering are the two most common ways to attack someone in social media environments. These types of attacks are emotion-based. An example would be that someone uses your photo on Facebook to sign up for another account. They then send friend requests to all your friends exposing them also to a fake account or putting them at risk. Another example: It’s too easy to watch a college student let everyone know they are going on Spring Break from photos. Someone realises they have a wealthy grandparent or parents. Contact can be made to extort money from people after being told their son, daughter, grandchild is being held hostage and a ransom must be paid. Again, the more you put out there, the greater the risk,” he added.


Register for FamilyWealthReport today

Gain access to regular and exclusive research on the global wealth management sector along with the opportunity to attend industry events such as exclusive invites to Breakfast Briefings and Summits in the major wealth management centres and industry leading awards programmes