Wealth managers are the route to high-net-worth clients for cyber criminals, writes Lewis Henderson, pictured, VP Threat Intelligence, at the email security software company Glasswall Solutions.
The cybersecurity risks facing wealth managers and their high-net-worth clients are steadily increasing as criminals exploit weak defences and poor or non-existent security policy. More than a quarter (28 per cent) of international high-net-worth families and the firms that manage their assets have already fallen victim to cyber-attacks according to a study from Campden Wealth and Schillings. Despite the size of the risk, approximately 40 per cent of such firms are operating without a dedicated cybersecurity policy, or a professional to manage protection.
What then, is the secret of the untouched 72 per cent of high-net-worth individuals and their wealth managers? What makes them invulnerable to cyber-attacks, or is it just a matter of luck? The former FBI Director, Robert Mueller, is renowned for saying: “There are only two types of companies: those that have been hacked, and those that will be.” We can be pretty certain that Mr Mueller would be the first to confirm that luck is no strategy.
Wealth management firms and their clients are now right at the top of cyber criminals’ hit lists. The approach they use is similar to that deployed obliquely against large corporations through vulnerable supply chain partners. Malicious actors concentrate on penetrating the security of high-net-worth individuals’ networks of business partners, family and friends, monitoring activity and gaining intelligence before launching meticulously planned cyber-attacks.
An explosive cocktail of risks is created through neglect of cybersecurity and abundant opportunities for extortion or data-theft that lead to reputational damage. It is the toxic nature of these threats that has stimulated increasing numbers of high-end wealth managers into hiring personal cybersecurity consultants and third parties to help protect their clients, as well as their business operations. This may not defer risk, but it certainly goes a long way to reducing it and obliges senior stakeholders of wealth managers to be involved in the process and not participate remotely.
In the aftermath of the Panama and Paradise Papers breaches, wealth managers worry about secure handling of clients’ sensitive files, as even these may lure malicious actors to attempt a cyber-attack, ultimately inflicting financial and data loss. When the Panama Papers made headlines in 2015, everyone witnessed an unprecedented leak of 11.5 million sensitive files coming from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca. The veil on the dealings within this secret world had been lifted, and we couldn’t get enough, even when the Icelandic Prime Minister was found to have participated.
It all adds to the pressure on wealth managers who face increasing levels of scrutiny by the various regulators overseeing Know your Customer (KYC), Anti-Money Laundering (AML) compliance, EU GDPR and The California Consumer Privacy Act of 2018. High-net-worth clients are required to submit a greater number of documents than ever before as evidence of good practice and compliance. “Old World” institutions still satisfy the requirements via hardcopy or email, but more innovative institutions are building sophisticated client-facing portals to manage this, as well as many other aspects of the relationship. The problem is that clients’ staff can easily be lured into uploading a malicious file by mistake, and the wealth manager tasked with reviewing and processing that file will be trusting and inclined to open such documents.
As a wealth manager, it is now considered remiss if you do not hire cybersecurity consultants and advisors who will take the following critical steps to protect your zero risk-tolerant clients:
Know Your Digital Enemy – …Or at least the methods they use. Attackers have various ways to observe, collect and spy, but when these are combined with social engineering it becomes highly effective. The below is a non-exhaustive example of the almost endless digital methods attackers will use:
•Email Attacks:
oPhishing – Emails or attachments that ask you to “click to open” or “click to access”; that seem random. Just don’t. Hover over the image or link, the true website will be revealed, check and double check, and if in doubt, type the website manually.
oSpear Phishing – Emails or attachments that are not random and are likely to reference something you are aware of from someone you know. Unless you were expecting to receive an email asking you to transfer £50m, pick up the phone.
•Fake Websites
oBeing asked to visit a website by a client isn’t out of the ordinary, and neither are malicious websites set up to collect personal information or deploy malware. URL links within documents or those sent from webmail accounts can all be checked for integrity, and many security organisations offering a free look up.
•Digital Breadcrumb Trails
oUsing GPS enabled devices, promoting activities on social media and having a public profile all assist in gathering geographic specific, personal and professional topical intelligence that attackers can utilise to great effect. Consider the security implications of yours, your employees, your clients and their families and how that could create unnecessary risks.
Document Sanitisation – Email and digital documents are lifeblood, but so little is done to ensure not just the sender is trusted, but the file is too. Wealth managers need to think innovatively about this most significant threat: digital documents. With the constant flow of documents sent via email, uploaded, stored and shared daily, attackers know how to quickly and easily infiltrate their intended victim, and often gather intelligence for months before making the first of many moves. Consultants must implement a sanitisation policy to ensure that all files traversing their IT systems and computers are safe, clean, and free of threats.
Defence-in-Depth – Rarely does a standard ISP provider to small businesses provide a comprehensive cybersecurity package. Large organisations are better at defending against cyber-attacks as they create a multi-layered series of defensive measures. Wealth managers need to direct their consultants to map to defence-in-depth strategies, and tailor them to their customers, and not just use commodity services that may, at best, address one risk. With the wealth managers’ reputation at stake this layered approach of not relying on one single service may need additional investment, but the benefits of additional protection far outweigh the implications of a breach.
Risk Surface Reduction – When it comes to risk management, large and complicated attack surfaces are hard to defend, due to the extensive amount of effort needed to monitor, analyse and respond. It’s essential to determine the current threat surface and reduce it as much as possible to eliminate an attacker’s opportunities. More and more avenues for attack are opening up, especially with high-net-worth clients, with everything from IoT devices to macros being enabled when they don’t need to be. To successfully understand and implement a risk management strategy, complete an assessment to determine where the potential vulnerabilities exist.
Compliance and Control – Good governance drives good principles, and good practice – ultimately this comes down to trust. How does a client distinguish or trust one wealth manager over another? Is it a family connection, or because they have taken additional steps to secure their clients data, and more importantly, prove it. Savvy, high-net-worth clients are asking more about how their data is secured, not just how their money is put to work. Fortunately, there are many simple steps a wealth manager can employ, and there is no need to reinvent the wheel. The NCSC, guided by GCHQ, has published various guidelines such as the friendly 10 Steps to Cyber Security, through to the start of robust Risk Management Guidelines.
With good policy, applying security controls over a constant influx of client files and sensitive information being shared daily, becomes natural and second-nature. For example, a policy to remove known high risk objects from documents such as macros, especially when they have no purpose within the company, is good practice.
Cyber Insurance Policies – In the event of any incident, cyber insurance products specifically designed for high-net-worth individuals are available, and sometimes simply labelled “fraud insurance” as a catch-all. With banks shying away from responsibility for transactions using stolen credentials, insurance steps in. Some insurers actually demand some evidence of good practice among their members, so being able to demonstrate that email and file security are priorities and that good practice is governed by good policy, makes it more likely to be accepted by the underwriter.
As the saying goes, the bigger they are, the harder they fall, but in the case of high-net-worth clients, the richer they are, the harder they fall. There’s much at stake when it comes to high-net-worth clients – many of whom represent fortunes which have accumulated over decades or longer. In the modern era of cyber-attacks, it’s easier than ever for hackers to leverage the electronic “footprint” of these assets and the people that manage and protect them. Efforts must incorporate a multi-step cyber threat protection plan – addressing document assurance, layered defensive measures, compliance/control and a reduced risk surface – to ensure the wealth remains “all in the family.”
