It’s clear that much work is needed in terms of information security among wealth managers, but a concrete cyber security program is contingent on clearly identifying your actual threats. Below, we’ve outlined the top three cyber security threats to wealth managers in 2018.
Shifts in user behaviour and user expectations are pushing wealth managers to adopt a range of new technologies, such as mobile applications (among others). However, these new assets are also new points-of-entry for potential cyber attacks, especially malware.
Malware attacks are generally aimed at devices, such as your firm’s laptops, workstations and smartphones. According to Symantec, malware attacks at financial services companies aim to steal the latter’s credentials, data or to facilitate another attack — such as a man-in-the-middle (MitM) attack — against your system.
Accenture found that it takes companies (across all major industries) $2.01 to $2.36 million (on average) to recover from malware attacks. In addition, 38% of malware infections in the financial services space emerge from corporate computers, i.e. internally. Thus, every starting point to an effective information security program should take malware attacks seriously.
Likewise, the growing adoption of wealth management applications — especially on mobile and via cloud-based services — makes disruptive attacks against wealth managers possible. As per KPMG, DDoS attacks against wealth management client applications is a “likely” prospect. In addition to disrupting your operations, DDoS attacks harm your credibility to clients.
Dealing with DDoS attacks isn’t easy, but ensuring that your application data and services are running through strong cloud and network systems is an appropriate start.
Ransomware is among the leading cyber threats faced by wealth and asset management firms. A ransomware attack tries exploiting people — i.e. your employees, your clients and yourself — via social engineering and other methods to essentially hijack your system.
Ransomware attacks unfold through fake pop-up windows, messages or other methods aimed at basically tricking the end-user into submitting their personally identifiable information (PII) or credentials (e.g. logins). For example, a client could come across a social media message that claims to be from your wealth management firm and, in turn, unwittingly give-up their password.
Such attacks are described as phishing attacks. However, of key relevance to wealth managers should be the growth of “spear-phishing.” In contrast to random pop-ups or spam messaging, a ‘spear-phishing’ attack is carefully tailored to the would-be victim.
Basically, a cyber attacker will simply craft an email to you, a client and/or staff masquerading as someone they would trust or be familiar with, such as an executive or manager. According to the cybersecurity company Kaspersky, such emails will aim to trick the reader into visiting a website with malware or open an executable malware (sent as an attachment).
As you might imagine, the weakest (or strongest) link in terms of phishing is the user. Thus, IT security best practices dictate that user education and training be a key component.
Besides financial assets, wealth managers are also sitting on an incredibly valuable — and highly regulated — data assets, especially client PII data. In fact, PwC stated that customer records are the “most targeted data” at 36% of cyber attacks in Canada in 2016.
However, wealth managers also possess data in the form of investment information, proprietary or trade secrets and other critical assets. Granted, banks have similar information at hand, and that too at a larger scale. But as banks increase their cyber security spending, wealth managers are now being viewed as potential targets.
Indeed, wealth managers are in the unenviable position of having to deal with many of the same threats to their data as larger financial services vendors, but — as PwC puts it — with “very limited internal information technology resources.”
However, wealth managers will have to deal with much of the same aftermath as banks should they suffer from data theft (or leaks). For example, should your firm’s client data get stolen and or leaked, then you will deal with a loss of credibility in the market.
With today’s industry dynamics, such as clients expecting mobile applications and, as a result, pushing your wealth management firm to invest in cloud and other external services, your data is vulnerable from a wide-range of fronts.
For example, your cloud service provider could be a very vulnerable target, while your client or internal applications may not have been built to current cyber security standards. This is not to say you shouldn’t rely on external providers; rather, you should seek those with extensive and credible industry experience and vendor partnerships.
Granted, an effective cyber security program will be expensive, but the cost will be negligible to the damages cyber attacks can cause. In some cases, a single data breach — when combined with direct costs of recovery, potential government/regulatory penalties, legal issues with your clients and inability to recover your reputation with future clients — can be devastating.
Dealing with the constantly evolving and increasingly complex cyber security landscape isn’t an easy task. In fact, not only do you require a core set of expertise and experience to secure your information system, but it’s very difficult, and costly in time and money, to build that capacity.
Instead, refer to a partner with credible experience providing cyber security IT solutions — be it in terms of networking, cloud services, device management or application management —- to wealth management firms as a start in properly resolving your cyber security gaps.