Advisor Domain: Heed the Warning, Don’t Be a Statistic


A weekly update on cybersecurity trends in the wealth management space. We explore the client-adviser relationship over a cybersecurity breach.

October is National Cybersecurity Awareness Month.

But you wouldn’t know it from the headlines. The only thing many people are aware of when it comes to cybersecurity is the occasional breach of a major corporation.

Over the weekend, UHS Health System – one of the largest national healthcare networks – confirmed that they had been hit by a massive ransomware attack. The attack launched on Sunday, September 27, around 2 am. The firm has now confirmed that the attack impacted all of its U.S. care sites, clinics, and hospitals.

This attack made the headlines in the New York Times and Wall Street Journal.

But the ones that aren’t generating as much attention are happening at wealth management firms. Despite the fact that then-SEC chair Mary Jo White said in 2016 that cybersecurity was “one of the greatest risks facing the financial services industry and will be for the foreseeable future,” the efforts by management firms to address these risks haven’t carried that level of concern. Meanwhile, regulators haven’t been highly active in penalizing firms that fail to ensure proper cybersecurity defenses. The $1 million fine in 2018 toward Voya Financial Advisors demonstrated SEC agency efforts to address a breach that affected customers and their personal data was just the first enforcement of the Identify Theft Red Flags Rules… since 2011.

While there has been a relatively slow commitment to cyber-defense, independent advisors have believed that they are too small to face a potential cyber-attack. This is the great error. Size makes individuals an ideal target, particularly individuals with large amounts of client data that can speak to their investment behaviors, risk tolerance, and individual goals. But remember – it’s not just wealthy client data and access to their information that wealth managers must protect.

Trading algorithms and strategies are ripe targets for hackers – as too are the trades that are made. Algorithms might exploit small price movements in nanoseconds. The value of these algorithms are known only to the wealth management firm, but we can call them priceless IP assets. They can command a hefty ransom demand or find themselves as potential sources of alpha for the hackers themselves or any traders or competitors willing to trade top dollar.

Don’t Overlook the Business Model

Too many people in wealth management also overlook that cybercrime isn’t a series of rogue attacks that happen at random.

In reality, cybercrime is a business model – much one like a sales job. An actor will hack and put a ransomware on 25 businesses with bounties of $50,000 and hope that at least five will pay the ransom.

Salespersons might make 100 calls and hope to find two or three buyers for a big payoff.

Next, I stress this. If you’re a wealth advisor who is working with third-party vendors, you need to take an audit of their inventory. Know exactly who they are, what they do, and why you are doing business with them. The 2018 VFA breach was tied back to an event where it provided an independent third-party access to their brokerage’s advisory and client information portal. Hackers successfully impersonated VFA contractors in 2016 to call a support line and request a reset of passwords. That would later allow them to access the customers’ portal and commandeer accounts.

Finally, while one might think that there are ample upgrades to address a potential hack, understand what the industry faces.

Meanwhile, the sophistication of encryption technology only makes a breach that more significant. In a few years, a locked-out phone or computer isn’t going to require a CISO to unlock a system. It will require nation-level grade technology, rendering a single device and its data obsolete. My core concern is that ransomware, particularly in the Digital First economy that we will adopt at an even more rapid pace, will spread like wildfire. And given that the U.S. government remains hesitant about banning Bitcoin, the cryptocurrency will remain the ransom payment of choice for actors around the globe.

The lack of transparency in Bitcoin transactions will only heighten the potential demand for an asset that finds itself at the center of this behavior.

Third parties will remain the big threat, which requires significant risk profiling with everyone in your orbit. To get started, make sure that your legal department or outside counsel have a cohesive plan to engage in quarterly inventory. If they aren’t willing to engage in risk mitigation up front, they certainly won’t like the idea of facing potential lawsuits in the future.

I’ll be back to discuss the first 48 hours of a breach and how to handle it next week.

Enjoy the week,