Cyber criminals are targeting wealth managers as a route to their high-net-worth clients, exploiting inadequate defences and weak security practice. Lewis Henderson reports.
A study from Campden Wealth and Schillings has revealed that 28 percent of international high-net-worth families and firms managing their assets have been breached in cyber-attacks. Despite the risks, approximately 40 percent of lack a dedicated cybersecurity policy, or a professional to manage protection. Are the 72 percent unaffected doing something radically different to defeat cybercrime, or is it just a matter of luck?
These days, malicious actors are seeking to penetrate the security of any high-net-worth individual’s network of business partners, family and friends, monitoring activity and gaining intelligence before launching a meticulously planned cyber-attack.
A potent ‘risk cocktail’ is created by neglect of cybersecurity, generating opportunities for extortion or data-theft that lead to reputational damage.
In the wake of the Panama and Paradise Papers incidents, wealth managers are rightly concerned about secure handling of clients’ sensitive files, as even these may lure malicious actors to start a cyber-attack, ultimately inflicting financial and data loss.
When the Panama Papers made headlines in 2015, the industry saw an unprecedented leak of 11.5 million sensitive files coming from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca. The veil on this secret world and their dealings had been lifted.
Wealth managers are facing increasing levels of scrutiny by regulators overseeing Know your Customer (KYC), Anti-Money Laundering (AML) compliance, EU GDPR and The California Consumer Privacy Act of 2018. High-net-worth clients are required to submit a greater number of documents than ever before as evidence of good practice and compliance.
More innovative institutions are building sophisticated client-facing portals to manage this, but the problem is that clients’ staff can easily be lured into uploading a malicious file by mistake. The wealth manager tasked with reviewing and processing that file will be trusting and inclined to open such documents.
As a wealth manager, it is now considered remiss if you do not hire cybersecurity consultants and advisors who will take the following critical steps to protect zero risk-tolerant clients. Attackers have various methods and wealth managers must become familiar with them.
o Phishing – Emails or attachments that ask you to 'click to open' or 'click to access' that seem random. Just don’t. Hover over the image or link, the true website will be revealed, check and double check, and if in doubt, type the website manually.
o Spear Phishing – Emails or attachments that may reference something you are aware of from someone you know. Unless you were expecting to receive an email asking you to transfer £50m, pick up the phone.
o Being asked to visit a website by a client isn’t out of the ordinary, and neither are malicious websites set up to collect personal information or deploy malware. URL links within documents or from webmail accounts can all be checked for integrity.
o Using GPS-enabled devices, promoting activities on social media and having a public profile all assist attackers looking for useful data. Consider the implications of what all staff do.
Email and digital documents are the lifeblood of business, but wealth managers need to think innovatively about files as well as senders. With the constant flow of documents sent via email, uploaded, stored and shared daily, attackers know how to quickly and easily infiltrate, and often gather intelligence for months before making a move. Consultants must implement a sanitisation policy to ensure that all files traversing their IT systems and computers are safe, clean, and free of threats.
Rarely does a standard ISP provider to small businesses provide a comprehensive cybersecurity package. Wealth managers need to direct their consultants to map to defence-in-depth strategies, and tailor them to their customers. They should not use commodity services that may, at best, address one risk. With the wealth managers’ reputation at stake this layered approach of not relying on one single service may need additional investment.
It’s essential to determine the current threat surface and reduce it as much as possible to eliminate an attacker’s opportunities. Everything from IoT devices to macros is being enabled when they don’t need to be. Complete an assessment to determine where the potential vulnerabilities exist.
Compliance and Control
Good governance drives good principles and good practice, but how do you trust one wealth manager over another? The NCSC, guided by GCHQ, has published various guidelines such as the friendly 10 Steps to Cyber Security, through to the start of robust risk management guidelines.
With good policy, applying security controls over the constant influx of client files and sensitive information becomes second-nature. For example, a policy to remove known high-risk objects from documents such as macros, especially when they have no purpose within the company, is good practice.
Cyber insurance products specifically designed for high-net-worth individuals are available, and sometimes simply labelled ‘fraud insurance’ as a catch-all. With banks shying away from responsibility for transactions using stolen credentials, insurance steps in. Some insurers demand evidence of good practice among their members, so being able to demonstrate that email and file security are priorities and that good practice is governed by good policy, makes it more likely to be accepted by the underwriter.
The bigger they are, the harder they fall, as the saying goes, but in the case of high-net-worth clients, the richer they are, the harder they fall. In the modern era of cyber-attacks, it’s easier than ever for hackers to leverage the electronic footprint of assets built up over decades, along with the people that manage and protect them. Efforts must incorporate a multi-step cyber-threat protection plan – addressing document assurance, layered defensive measures, compliance and control and a reduced risk surface. This is how to ensure that wealth remains secure and that companies managing it can continue to do so without daily risking their reputations.
Lewis Henderson is VP Threat Intelligence at Glasswall Solutions