Disco, Sex And The Cybersecurity Nightmare

close-up-code-coding-239898

Originally published in Financial Advisor

By Mark Hurley

Remember “Disco Inferno” and “The Hustle” and the “anything goes” promiscuous lifestyle of the late ’70s? All of that did not end very well, as the world learned that all behaviors are accompanied by their own set of—potentially very bad—consequences.

This good general rule of life somehow was forgotten in the Internet Age. Suddenly, we were in a “New Economy.” Everyone was going to be connected and share information—an electronic “anything goes” era in which convenience and access were far more important than safety. If you think about it, there are probably more than a few eerie parallels between the way people have approached using the internet over the last 25 years and how they thought about sex in the late ’70s.

But the recent WannaCry ransomware attack (which briefly shut down millions of computers around the world), along with the hacking of political campaigns, government agencies and Fortune 500 companies, is probably only a sniffle compared with what is to come. Someday, hackers will release an unstoppable computer virus or malware. And the only real protection will be responsible behavior.

Internet theft is now a very big business—in many cases, it’s done by government-funded and operated businesses. The stereotypical hacker is no longer an overweight, personality-challenged geek living in his mother’s basement. In fact, hackers, virus makers and other cyberterrorists in countries such as China and Russia openly work in large office buildings as part of organizations designed to steal money or spread mayhem.

Unfortunately—and this is particularly surprising to anyone who follows this industry—very few wealth managers seem to recognize the magnitude of this threat to their livelihoods. Their firms are particularly attractive targets for bad guys because their clients’ non-public personal information (Social Security numbers, account info, etc.) is regularly sold in aftermarkets (known as “darknets”) to organizations that use it to loot bank and brokerage accounts, steal credit cards and tax refunds.

Typical wealth management firm clients have substantial amounts of liquid assets and robust credit, so their data can be sold for a high price—in fact, on the dark web they are referred to as “whales.”

The wealth management landscape is littered with firms—including some of its largest and most sophisticated—that have already been hit. The CEO of one multibillion-dollar firm recently clicked on a link in an e-mail and all of his clients’ e-mail addresses were exported. Another big firm discovered that hackers seeking client information were sending e-mails appearing to be from people inside the firm.

Even worse, the bad guys are so sophisticated that not long ago they managed to get a client’s custodial account information.
They then called the client’s house, pretending it was a routine telemarketing call; the client picked up the phone and answered “yes” to several innocuous-sounding questions. What’s the harm, right? Well, the hackers tape-recorded the answers, then directed the custodian to wire $500,000 to a bank in Hong Kong. When the custodian called the client to confirm the wire transfer, the call was intercepted by the crooks, who responded to questions with the tape recordings of the client saying, “Yes. … Yes.” It worked and ultimately cost the client $5,000 to get the money back.

But this cyber threat is not just limited to client assets. As wealth managers become bigger businesses, they too will become targets. Imagine if you came into your office one morning and you couldn’t access any client data, e-mails, phone numbers, financial plans or portfolios, nor your billing, compliance and personnel information. How could you function? And how long would it take to replace this information and what would you pay to get it back?

To prevent this from happening, wealth managers are going to have to change how they operate. First and foremost, they need to hire a sophisticated chief information security officer. But given that today there is a nationwide shortage of about 300,000 people with this expertise, filling this position is going to be expensive.

And if you thought dealing with a compliance officer was annoying, wait until you see the policies that a competent CISO (Chief Information Security Officer) is going to put in place. All client and company NPPI is going to be maintained on a separate set of computers that are disconnected from the internet, and access to them is going to be tightly controlled.

Employees are going to have one phone for work and another for personal use. Access to the firm’s information systems from home computers is going to be much more limited.

Likewise, expect to spend a lot of money on specialized legal advice because insufficient information security is a quick way to wind up getting a regulatory enforcement action. Firms are going to have detailed, written protocols and everyone in the organization is going to have to follow them to the letter.

Remember the big hack at Target that affected 40 million customers? The virus was accidentally let loose by a vendor installing a digital thermostat in the company’s computer system. Guess who is responsible if something like that happens to your firm?

To protect yourself, your CISO is going to have to audit your vendors’ information security policies and procedures—even those of small vendors such as the local tech guy who fixes your server. At some point, you may even have to ban vendors from bringing their cell phones into your offices (many military headquarters require something similar).

But information security goes beyond just outside threats. You are equally liable if some junior analyst downloads client information and sells or distributes it. To protect yourself, you are going to have to do what the intelligence agencies do—compartmentalize. Only those people with a need to access information will be able to do so, and any downloads will be closely monitored.

The “we are one big happy family that shares everything” approach to running your business is over. Is it just me, or when you hear the term “WannaCry,” are the Bee Gees in the background singing “Stayin’ Alive”?

Mark Hurley is founder and chief executive of Fiduciary Network, a private bank specializing in the wealth management industry.