However, within the broad spectrum of financial services are wealth and asset managers, who – with fewer digital information and IT security resources – face many of the same threats as their much larger industry cousins.
According to PwC (PricewaterhouseCoopers), this is because wealth managers hold an array of very valuable information assets, including the personally identifiable information (PII) of clients, access to financial information and financial assets, and other domains of criminal interest.
Despite being different from banks, investment firms or insurance agencies, the bitter reality is that wealth managers must contend with the same kinds of threats, but with fewer resources.
If not, a breach could lead to regulatory penalties and, potentially, a fatal loss of reputation. In an difficult operating environment, such risks could effectively end a wealth management firm.
Securing your wealth management firm starts with understanding the most serious cybersecurity risks posed to your operations. Below, we’ve compiled an overview of the cybersecurity or IT risks you need to worry about in 2018 and beyond.
According to EY (Ernst & Young), it is estimated that “large organizations” — including financial services firms — collectively incur 35 million cyberattacks a year. Moreover, these firms also struggle with detecting attacks (as per EY, it takes these firms 200 days to detect targets).
In part, this is due to the increasingly complex nature of these attacks, which now leverage an array of new attack points, such as mobile and social media. EY states that “firms … struggle to keep pace with the threat vectors, [especially] with limited resources.”
Cyberattacks take a number of forms. For example, a man-in-the-middle attack begins with your IT system getting compromised. Then, hackers reroute encrypted data — such as client PII — to their own server(s) before reaching legitimate users.
According to Deloitte, cyberattacks can result in many losses, including authority over one’s own Internet Protocol (IP) addresses and client data (including PII) -- and the potential leakage of such data to third-parties.
For wealth managers, these risks are especially pressing. In 2015, the US Securities and Exchange Commission (SEC) stated that a staggering 74% of advisors were a target that for cyberattacks. So, what’s driving this growth in cyberattacks against wealth managers?
One major reason is the fact that the IT side of the industry has become complex. For example, clients expect wealth managers to offer mobile apps and services, which add to the number of potential entry-points for attacks.
As per PwC, “Fraud incidents, both online and offline, increased by more than 130% during , resulting in significant monetary and reputational losses for financial institutions.”
Simply put, cybersecurity threats aren’t restricted to only external attacks; they can occur from within your own wealth management firm. However, these risks aren’t inherently malicious in all cases. They can simply occur from staff or company negligence.
For example, company- or employee-owned devices which contain confidential corporate information can get lost or stolen, and then fall into the wrong hands. Likewise, negligence in handling passwords and other controls could result in those keys reaching external hands.
In terms of malicious activities, poor IT security measures (including lack of access controls of client data, encrypted communications, and more) make insider trading, internal theft or pilfering, and identity fraud a much easier process. As with cyberattacks, the growth of internal incidents can be attributed to the growth of entry-points for attacks, such as mobile apps and the use of external, cloud-based services.
Ransomware, the practice of holding one’s access to their accounts in-exchange for money, typically occurs through phishing. Phishing is a method of social engineering wherein the user is deceived into providing their password or other critical data, which enables the attacker to gain control of the victim's system.
According to PwC, the ransomware Petya and WannaCry affected “hundreds of thousands of computers around the world.” This is a severe threat to wealth management firms because employees, contractors and even clients can be targeted by phishing.
As a result, wealth managers should be particularly aware of “spear phishing”: “an email fraud scheme similar to phishing, but usually targeting specific organisations and coming from what seems to be a trusted source” (Deloitte).
Spear phishing works because users see these emails – especially from trusted sources such as their wealth management firm – as normal correspondence, and decide it is fine to share confidential information in return when, in fact, they shouldn’t.
According to Deloitte’s 2016 Global Risk Management Survey of the Financial Services Industry, as many as half of financial services firms – including wealth managers – found mitigating their IT security risks “very challenging” or “extremely challenging.”
Clearly, you’re not alone in worrying about your IT security risks. Moreover, as industry trends push your wealth management firm into adopting automation, the cloud and other cutting-edge technologies and processes, the “attack surface” available to cyberattackers against your firm will only grow. Ultimately, you’ll need to begin thinking about potential solutions to shield your firm and its assets from cyberattacks and other malevolent activities.