Even so, one feature of the attack caught attention: Capital One had embraced the “cloud” for storing data. When asked about cyber-security breaches, advocates of cloud computing have told this publication that security in this model is often as good as, if not superior to, in-house systems that companies have used in the past. But the scale of the Capital One saga is bound to cause concern that cloud computing is vulnerable. 

Wealth management organizations such as family offices should be aware of the risks and understand that there are different types of “cloud”, practitioners have told Family Wealth Report. “There’s tons of ambiguity…people don’t understand that there are different types,” Tania Neild, a former employee at the National Security Agency, and a technology consultant working with family offices, said. 

One assumption people make is that cloud-based service providers, being large, have the resources and processes to be secure, in ways that a small family office, for example, cannot afford. But there are challenges in that assumption, Theresa Pratt, chief information security officer, Market Street Trust Company, told this publication. 

“When I am not in the cloud, even if my security could be better, I am a small fish who may be hard to detect. When I am in the cloud, even though their security may be better, I am in a much larger pond and may potentially be in more danger…in a large cloud my data might get stolen as collateral damage,” she said.

"I have to trust that the vendor knows what they are going to do to protect my data. That is the risk of moving data to the cloud,” Pratt continued. 

There is a conflict, perhaps unresolvable, between the cloud’s advantages of speed, efficiency and cost savings for users, and issues around what happens if there’s a breach, she said. “By moving the cloud you are only shifting technology, not your risks and responsibilities,” she said. “Security and functionality are often 180 degrees in opposition. Everything that enhances functionality reduces security and vice versa."

Gaps in the wall
A particular concern that emerged from the Capital One case is that some of the containers used in cloud computing have gotten more vulnerable. A cloud container is a standard unit of software that packages up code and all its dependencies so that the application runs quickly and reliably from one computing environment to another. However, because they are so easy to use, errors can creep in when they are installed – creating openings for hackers. Computer security company Skybox Security, which recently updated the market about industry issues in its 2019 Vulnerability and Threat Trends Report, said that some of the containers face a problem. Skybox said vulnerabilities in container software rose by 46 per cent in the first half of 2019 compared with the same period in 2018, and by 240 per cent compared with the figures two years ago .

And technology practitioners and experts on data security think that wealth managers, such as family offices, private banks and other structures, cannot assume that putting material “in the cloud” gets them out of danger. A difficulty with this, however, is that the term “cloud” in fact refers to a variety of quite different approaches, which vary in risk and cost.

A definition helps, thanks to Wikipedia: “Cloud computing is the on-demand availability of computer system resources, especially data storage and computing power, without direct active management by the user. The term is generally used to describe data centers available to many users over the Internet.”

According to Neild, there are three broad models. First, there is an offering from an application service provider, or ASP. The bulk of the work is done on a server not limited to a network outside of a specific physical place. Such ASPs are the likes of Office365, DropBox, Addepar, Archway, and others. Access is via a login and a password, perhaps two factors, but otherwise users have no control. 

The second model is one in which “you’re renting part of a server that is `on-prem’ but you have shared responsibility for it,” she said. In this one it not used for cost-cutting reasons but because it has better disaster recovery ability and more flexibility. There will also be some specific technical support for the user. 

A third model, a “private cloud” gives the user as much control as on-premises hardware and systems; a user will house their own machines in a secure hosted facility. Security control is at a higher level than in the other two models, but it is the user’s responsibility to get it set up and maintained properly. Users select this model for the DR of the facility and environment.

Single family offices are in many cases choosing to stick with in-house, on-prem systems or using ASPs, Neild said. The second model, given its cost, may be too high for some SFOs. In the case of multi-family offices, they tend to be evenly distributed across the three broad cloud computing types, she said.

One important task for cloud computing users is knowing how to perform due diligence on ASPs – and that might involve bringing in outside experts. A layperson cannot easily do that, any more than they are equipped to diagnose an illness or health condition, she said.

Some wealth managers today are resigned to hacking taking place, while a small number are engaging outside advisors to navigate the security terrain, she said. There is a wide spectrum of due diligence and requirements by user, and equally wide for setup and maintenance of the vendors. 

ROI
An issue for the wealth industry is that with margins still under pressure, the cost/benefit equation of efficiency versus security isn’t an easy one to resolve, Pratt of Market Street Trust Company said.

"Writing an application securely takes time, money and expertise. Vendors are under pressure to get their applications to market quickly. Chances are excellent that someone is going to cut corners somewhere, leaving security gaps. I am not making value judgements here – this is the reality,” Pratt continued.

Users of cloud computing systems should have response plans in place and know who to call, and what to do, when an attack happens, she said. “Chances are that someone you already work with is already compromised.”

It appears that in security and efficiency, there are no free lunches, any more than in economics and business generally. The lessons that appear to come out of the latest incidents are that cloud solutions are not a silver bullet for those who use them, and the due diligence work to check on their suitability is as necessary as for choosing a bond or piece of real estate. Wealth managers should take latest cases as a wake-up call.