Cyber criminals are targeting wealth managers and their high-net-worth clients, exploiting weak defences and poor security practice.
A study from Campden Wealth and Schillings has revealed that 28 per cent of international high-net-worth families and the firms that manage their assets have already fallen victim to cyber-attacks. Despite the enormity of the risk, approximately 40 per cent of such firms fail to operate a dedicated cybersecurity policy, or appoint a professional to manage protection.
Are we to believe the 72 per cent of high-net-worth individuals and their wealth managers are doing something radically different to fend of cyber-attacks, or is it just a matter of luck? The former FBI Director, Robert Mueller, was famously quoted as saying: “There are only two types of companies: those that have been hacked, and those that will be.” I’m sure Mr Mueller would be the first to confirm that relying on your luck is by no means a strategy.
Wealth management firms and their clients are now right in the cross-hairs of cyber criminals. The modus operandi is similar to that used to target large corporations through their vulnerable supply chain partners. Malicious actors are motivated to penetrate the security of any high-net-worth individual’s network of business partners, family and friends, monitoring activity and gaining intelligence before launching a meticulously planned cyber-attack.
A potent “risk cocktail” is created by neglect of cybersecurity, generating opportunities for extortion or data-theft that lead to reputational damage. At last, the toxic nature of these threats has stung more high-end wealth managers into hiring personal cybersecurity consultants and third parties to help protect their clients, as well as their business operations. This may not defer risk, but it certainly goes a long way to reducing it. And it requires senior stakeholders of wealth managers to be involved in the process and not participate from a distance.
Faced with scrutiny
In the wake of the Panama and Paradise Papers incidents, wealth managers are rightly concerned about secure handling of clients’ sensitive files, as even these may lure malicious actors to start a cyber-attack, ultimately inflicting financial and data loss. When the Panama Papers made headlines in 2015, we saw an unprecedented leak of 11.5 million sensitive files coming from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca. The veil on this secret world and their dealings had been lifted, and we couldn’t get enough, even when the Icelandic Prime Minister was found to have participated.
Wealth managers are facing increasing levels of scrutiny by regulators overseeing Know your Customer (KYC), Anti-Money Laundering (AML) compliance, EU GDPR and The California Consumer Privacy Act of 2018. High-net-worth clients are required to submit a greater number of documents than ever before as evidence of good practice and compliance. “Old World” institutions still satisfy the requirements via hardcopy or email, but more innovative institutions are building sophisticated client-facing portals to manage this, as well as many other aspects of the relationship. The problem is that clients’ staff can easily be lured into uploading a malicious file by mistake, and the wealth manager tasked with reviewing and processing that file will be trusting and inclined to open such documents.
As a wealth manager, it is now considered remiss if you do not hire cybersecurity consultants and advisors who will take the following critical steps to protect your zero risk-tolerant clients:
Know Your Digital Enemy – …Or at least the methods they use. Attackers have various ways to observe, collect and spy, but when these are combined with social engineering it becomes highly effective. The below is a non-exhaustive example of the almost endless digital methods attackers will use:
- Email attacks
Phishing – Emails or attachments that ask you to “click to open” or “click to access”; that seem random. Just don’t. Hover over the image or link, the true website will be revealed, check and double check, and if in doubt, type the website manually.
Spear Phishing – Emails or attachments that are not random and are likely to reference something you are aware of from someone you know. Unless you were expecting to receive an email asking you to transfer £50m, pick up the phone.
- Fake websites
Being asked to visit a website by a client isn’t out of the ordinary, and neither are malicious websites set up to collect personal information or deploy malware. URL links within documents or those sent from webmail accounts can all be checked for integrity, and many security organisations offering a free look up.
- Digital Breadcrumb Trails
Using GPS enabled devices, promoting activities on social media and having a public profile all assist in gathering geographic specific, personal and professional topical intelligence that attackers can utilise to great effect. Consider the security implications of yours, your employees, your clients and their families and how that could create unnecessary risks.
Document Sanitisation – Email and digital documents are lifeblood, but so little is done to ensure not just the sender is trusted, but the file is too. Wealth managers need to think innovatively about this most significant threat: digital documents. With the constant flow of documents sent via email, uploaded, stored and shared daily, attackers know how to quickly and easily infiltrate their intended victim, and are often gathering intelligence for months before making the first of many moves. Consultants must implement a sanitisation policy to ensure that all files traversing their IT systems and computers are safe, clean, and free of threats.
Defence in Depth – Rarely does a standard ISP provider to small businesses provide a comprehensive cybersecurity package. Large organisations are better at defending against cyber-attacks as they create a multi-layered series of defensive measures. Wealth managers need to direct their consultants to map to defence-in-depth strategies, and tailor them to their customers, and not just use commodity services that may, at best, address one risk. With the wealth managers’ reputation at stake this layered approach of not relying on one single service may need additional investment, but the benefits of additional protection far outweigh the implications of a breach.
Risk Surface Reduction – When it comes to risk management, large and complicated attack surfaces are hard to defend, due to the extensive amount of effort needed to monitor, analyse and respond. It’s essential to determine the current threat surface and reduce it as much as possible to eliminate an attacker’s opportunities. We’re seeing more and more avenues for attack, especially with high-net-worth clients, with everything from IoT devices to macros being enabled when they don’t need to be. To successfully understand and implement a risk management strategy, complete an assessment to determine where the potential vulnerabilities exist.
Compliance and Control – Good governance drives good principles, and good practice – ultimately this comes down to trust. How does one client distinguish or trust one wealth manager over another? Is it a family connection, or because they have taken additional steps to secure their clients data, and more importantly, prove it. Savvy, high-net-worth clients are asking more about how their data is secured, not just how their money is working for them. Fortunately, there are many simple steps a wealth manager can employ, and there is no need to reinvent the wheel. The NCSC, guided by GCHQ, has published various guidelines such as the friendly 10 Steps to Cyber Security, through to the start of robust Risk Management Guidelines.
With good policy, applying security controls over a constant influx of client files and sensitive information being shared daily, becomes natural and second-nature. For example, a policy to remove known high risk objects from documents such as macros, especially when they have no purpose within the company, is good practice.
Cyber Insurance Policies – In the event of any incident, cyber insurance products specifically designed for high-net-worth individuals are available, and sometimes simply labelled “fraud insurance” as a catch-all. With banks shying away from responsibility for transactions using stolen credentials, insurance steps in. Some insurers actually demand some evidence of good practice among their members, so being able to demonstrate that email and file security are priorities and that good practice is governed by good policy, makes it more likely to be accepted by the underwriter.
As the saying goes, the bigger they are, the harder they fall, but in the case of high-net-worth clients, the richer they are, the harder they fall. There’s much at stake when it comes to high-net-worth clients – many of whom represent fortunes which have accumulated over decades or longer. In the modern era of cyber-attacks, it’s easier than ever for hackers to leverage the electronic “footprint” of these assets and the people that manage and protect them. Efforts must incorporate a multi-step cyber threat protection plan – addressing document assurance, layered defensive measures, compliance/control and a reduced risk surface – to ensure the wealth remains “all in the family.”
Lewis Henderson, VP Threat Intelligence, Glasswall Solutions
Image source: Shutterstock/AlexLMX