Cybercrime has certainly emerged as an unavoidable priority for businesses across all sectors. The growing list of high-impact cyber-attacks continue to convey a steady and clear-cut message: the bad guys will continue to sharpen their arsenal in a quest to breach personal privacy, wipe investment accounts, manipulate financial markets, steal intellectual property and commit other egregious acts.
The financial services industry has been a high-value target for profit seeking cybercriminals for a while. A 2016 heist, in which hackers stole USD$81 million from the central bank of Bangladesh using intelligently designed malware that covered their tracks by manipulating bank balances and erasing money transfer records, provides a chilling example. In fact, this cybercriminal syndicate was prevented by a mere typo from stealing the full USD$1 billion they were after.
While the wider financial services industry remains at risk, cyber threats specifically against financial advice firms are continually increasing. There are four primary drivers for this trend.
First, over the last decade, big banks have consistently invested millions in commercial-grade cyber security solutions, such as advanced threat protection, 24/7 security operations centres (SOCs), highly redundant data centres and so forth, which makes them a less attractive target for cyber criminals. On the other side of the spectrum, because smaller financial advice firm don't have equally deep pockets their cyber defences have lagged. This disparity has made them softer targets for cyber criminals, who prefer to follow the path of least resistance to achieve their goals. Sun Tzu's affirms in his classic book, The Art of War: "You can be sure of succeeding in your attacks if you only attack places which are undefended ... so in war, the way is to avoid what is strong and to strike at what is weak."
Second, and probably most significant, cyber criminals are largely driven by financial gain. Unsurprisingly, these syndicates have set their eyes financial advice firms, lured by the high-value investment accounts they manage on behalf of clients. As Alex Tilley, a cybercrime expert and researcher, recently warned, "International cyber criminals have Australian nest eggs in their sights, with at least $600 billion in cash reserves held by self-managed super funds, financial planning and stockbroking-related accounts particularly at risk." Further compounding this challenge, several financial advice firms still rely on email communicate with their clients, including for handling high risk payment instructions. Email is rife with security flaws, and online criminals are exploiting these weaknesses to intercept client communications and attempt to redirect payments.
Third, a large trove of personally identifiable information - such as contact details, dates of birth, driver's licence numbers, passport details, residential addresses etc. - that financial advice firms must collect from their clients by law, is also of high value to cyber criminals. This information can be sold or be used to develop highly customised phishing attacks against clients, exposing them to identity theft or financial fraud. This sensitive data is increasingly being stored in a range of locations and applications, such as mailboxes, hard copies or third-party cloud servers, making the process of securing it complex and daunting.
Fourth, several financial advice firms rely on third-party-managed platforms, such as financial planning platforms, customer relationship management (CRM) systems or other administration systems. This is a good thing, as it enables them to tap into innovative solutions while focusing on their core areas of differentiation. Ceding vital data protection responsibilities to third parties, however, may have downsides if their technology environments are poorly secured. Amidst these outsourcing challenges, there are tightening data protection laws, such as the recent Australian Mandatory Data Breach Reporting law and the EU General Data Protection Regulation (GDPR). Although these laws have created a benchmark, their actual emergence raises several questions: Are third party servers hosting sensitive customer records located in foreign jurisdictions? Do third party data protection environments meet security and privacy requirements? Are these third parties contractually obligated to promptly notify the firm if their systems are breached?
So, how can financial advice firms respond?
Faced with the threat of data breaches, it's easy to see that the imbalance between cyber threats and corporate defences is a continuous challenge. These are justified sentiments, but a closer look into each of these incidents provides a key insight: Cybercriminals are largely opportunistic and often exploit common and easily preventable flaws. Majority of data breaches can be traced back to vulnerabilities where the vendor provided security patches several months before the compromise.
Granted, cyber security is a fast-moving target, and there is no one-size-fits-all cyber security framework. The appropriate set of responses should be informed by each financial advice firm's risk appetite and strategic priorities. With that caveat in mind, here are some recommendations, that, if implemented appropriately, should reduce financial advice firms' cyber risk exposure.
- Ensure your systems are running on vendor supported firmware, have up-to-date security patches and commercial anti-virus software. Turn on full-disk encryption, ensuring sensitive data cannot be accessed without the correct password in the event the device is stolen or seized. Also, regularly back-up critical business files on a separate drive that is disconnected from your computer network. Cyber criminals are blocking access to critical business files using strong encryption (ransomware) and then threaten to delete the files unless victims pay ransom in the form of cryptocurrency. In such situations, up-to-date back up files may be your only fall-back.
- Technology plays a key part in cyber resilience, but a cyber savvy workforce is even more important. To that end, invest in security awareness to ensure staff develop the intuition to detect and fend off sophisticated phishing attacks. Cybersecurity awareness campaigns provide the highest return on security investments but should not be pursued in isolation. They should be complemented with strong operational procedures, such as calling back customers to confirm the validity of payment instructions received via untrusted channels, such as email or fax.
- Enable multi-factor authentication (MFA) to increase security over your high-risk applications, especially e-banking and email. MFA requires further verification, in addition to your username and password, such as a one-time passcode accessible via a mobile app. Several online email and banking platforms have inbuilt MFA, but you must opt in. In addition, you can use a password management tool to generate, maintain and secure hard to guess passwords.
- Maintain a detailed catalogue of your digital crown jewels - systems that hold personal and sensitive client records, as well as your intellectual property. These are your most critical information assets, which, if compromised, could severely undermine your bottom line, damage your brand or expose your clients to harm. Having a strong grasp of your digital crown jewels provides a strong foundation to create a high-impact and cost-effective cybersecurity strategy. Simply put, effectiveness requires focus and without a clear understanding of your most valuable data assets and where they reside, cyber security can easily become a slippery slope of high and unjustified expenditures. Once you clearly understand what your digital crown jewels are, the next prudent step is engaging a cyber security expert to assess the effectiveness protections around these systems.
- Include legally binding and measurable cyber security and privacy clauses in all new third-party supplier contracts, where possible. Specifically, require third parties handling business critical functions or sensitive customer data to provide independent audit reports, at least annually. One such report is the Service Organization Control 2 (SOC 2), a widely accepted independent assurance report commissioned by the American Institute of Certified Public Accountants (AICPA) that asserts the security, availability, processing integrity, confidentiality and privacy of information.
While it's all too easy to believe that cyber-attacks only happen to other businesses, financial advice firms cannot afford to treat cyber security as a low priority issue anymore. Protecting against this soaring threat is much more than protecting their businesses, its about protecting the privacy and wealth of their clients. However, this is not just about spending money - simple things like using up-to-date software and patches, as well as creating awareness and educating staff on cyber security are key steps in making it harder for cyber criminals to have an impact on your business.
The views expressed in this article are solely the author's, not the organisation he works for.