Why wealth managers should celebrate stalemates in the never-ending cybersecurity battle

Cybersecurity is often discussed in the context of being a race to win, a game to dominate or a war to emerge from as the last man standing.

But John Cataldo says that firms fixated on coming out on top are missing the point.

Winning shouldn't be the objective. Because, frankly, outright victory isn't really an option.

John Cataldo, president of advisory services and chief legal officer for Integrated Partners

Instead, the president of advisory services and chief legal officer for Integrated Partners believes cybersecurity should be approached as an endurance exercise between you and an unmeasurable field of unknown opponents. One that is guaranteed to evolve as quickly as new technologies enter the landscape, and one that no one gets to opt out of.

So for wealth managers, the goals should be buy-in, commitment and an organization-wide understanding that it's not over 'til it's over.

"It's trench warfare. Parties are dug in. You don't want to let them across, but you're not probably going to be making much headway. So as long as you've got that stalemate where people can't get in, you're good," Cataldo told Financial Planning. "Educate your organization about why this is important. Help them get that greater appreciation for it. Help them understand the uniqueness of your organization and what your unique cyber threats are.

"But understanding that you are in it for the long haul is really, really important. And begin setting that stage internally so that people understand the dynamics."

As the way we work and live becomes more dependent on digital-first interactions, the risk of cybercriminals converting our ability to connect into opportunities to attack increases. 

The cybersecurity burden weighs even heavier on wealth managers trusted to protect the sensitive personal information of end clients — information that could lead to ruin if passive policies leave gaps in a firm's defense. 

READ MORE: Is your RIA's cybersecurity stack getting the job done?

Raising the already high stakes is an environment of evolving cybersecurity regulations and increased fiduciary responsibilities. Be it the SEC, FINRA, state regulators or another agency, wealth managers need to keep an eye on both potential threats, as well as rules and regulations that can turn on a dime.

The most recent tweaks from on high include three proposed sweeping cybersecurity rules from the SEC that overhaul oversight dating back more than two decades, but drew protest from financial industry groups for being too much to digest in a short period of time.

One of the latest proposed rules would give firms a hard 30-day deadline for informing clients of data breaches. The requirement to report data breaches would extend to any third-party vendors that advisory firms and broker-dealers might contract for cybersecurity and other services.

Another rule would apply to broker-dealers and similar firms and would require those organizations to adopt written policies designed to prevent hacks and to review those policies once every year. Firms would be required to provide reports on cyber attacks immediately to federal regulators and follow up with detailed accounts within 48 hours.

A major problem
If it feels like your organization or peers have been having more conversations about cyber attacks lately, it's for good reason. 2023 has thus far been a difficult year for those dedicated to digital defense, and the breaches once again prove that anyone is fair game.

College universities, government agencies, investment research firms and mobile phone carriers are among the entities that have ended up in the crosshairs over the past six months.

Brian Edelman, CEO of FCI, a managed security service provider to financial companies, said the biggest cyber headline happening this summer also doubles as "the worst cyber breach in financial services history."

He's referring to the MOVEit breach reported by Progress Software in late May that has a victim tally in the tens of millions — and counting — as additional organizations are being added to the list of dozens already confirmed to be caught up in the melee.

Brian Edelman, CEO of FCI

MOVEit is a piece of managed file transfer software developed by the Burlington, Massachusetts-based Progress Software that relies on encryption to facilitate the exchange of files and data between servers, systems and applications.

A criminal hacking gang known as Clop has claimed responsibility for the ongoing MOVEit cyber attacks and have threatened to publicly post internal data from targeted professional services firms like Pricewaterhousecoopers and Ernst & Young unless they pay a ransom fee.

Other companies and organizations that were impacted are the U.S. Department of Health and Human Services, Honeywell, the government of Nova Scotia, UCLA, the New York City Department of Education, the Louisiana Office of Motor Vehicles and Siemens Energy. 

Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, tweeted on June 30 that 162 organizations are known to have been affected by the MOVEit attacks, putting the records of more than 16.3 million people at risk. That includes 16 entities in the U.S. public sector.

But TechCrunch reports that only 12 targeted entities have confirmed the number of people affected, meaning the real count of individuals impacted is much larger than we think, Edelman said.

"I think it's certainly making it very clear who has strong cyber controls and who doesn't. Those who have responded early — and those are a lot of the public companies — have demonstrated that they have strong cyber programs and responses," Edelman said. "Vulnerabilities are going to happen. They're missing a core function called mass vulnerability response. So that's an important thing to address and uncover. But what we're seeing is they were able to define that there was a breach, they were able to define how many people were affected by the breach, they were able to talk about the fact that it was under investigation. These are all signs that they have mature cyber programs."

MOVEit isn't the only notable breach reported in 2023. Other attacks include 37 million people caught up in a T-Mobile breach; 20 million people in a PeopleConnect breach; and a breach disclosed by Zacks Investment Research that impacts nearly 9 million accounts. 

Cyber attacks have also been on the rise in recent years. The FBI's Internet Crime Complaint Center received 847,376 complaints of attacks in 2021. That was up 181% from 2017. 

Of the complaints from 2021, 51,629 concerned identity theft and 51,829 personal data breaches. Those numbers increased by 193% and 68% from 2017, respectively.

At the heart of each breach is the industry's most valuable resource: data. 

Like the spice in "Dune," attackers are willing to go great lengths to obtain it, and organizations must be equally committed to protecting it.

"This is a major problem as companies are more and more reliant on electronic communication and digital data storage," Cataldo said. "It becomes a more acute problem because you have more of this stuff. Clients and customers are more attuned to it. Regulators are obviously more attuned to it. And it intersects with so many different things — regulatory risk, reputational risk, legal liability. So the fact that it touches on so many different areas at once really supports why it's top of everyone's mind."

Where the industry ranks cybersecurity
As Edelman, Cataldo and others stress the importance of firms having a strong cyber plan, it's clear that the world of financial services gets it.

New research released by Financial Planning sister publication American Banker and conducted by parent company Arizent finds that banks and credit unions continue to identify cybersecurity threats and fraud as the greatest challenges to their digital banking strategies.

In the survey conducted this spring, nearly 90% of respondents said cybersecurity threats are a "moderate" or "significant" challenge to their institutions' digital banking strategies, ahead of integrating legacy systems with new digital technologies (86%) and retaining and attracting skilled talent (77%).

Bankers also named security-related functions as two of the top three technologies for enabling digital banking, with 55% saying enhanced security and fraud mitigation were vital to their goals and 50% saying digital identity verification is critical. That outpaced the importance rankings of many other digital services, including virtual assistants or chatbots (30%) and rapid application development (21%).

Arizent's research found that banks expect a large share of their spending in the coming year to go toward preventing data breaches, a continuation of previous spending trends.

Those results are similar to Arizent's most recent wealth management-focused research on cybersecurity which found that more than half of the wealth managers, 53%, said they believe the spending will increase by more than 10% from the previous year. 

When asked what kind of attacks pose the greatest risk to their businesses, the most popular responses among wealth managers were: viruses, malware or ransomware (60%); a data breach by a hacker or another criminal element (52%); phishing or spear-phishing (50%); and an unintended breach caused by a third-party vendor (41%).

There is also no single factor contributing to the growing cybersecurity risk profile of the companies surveyed by Arizent. Four factors affect 40% or more of the respondents' organizations: customers using mobile devices to access their data while "on the go"; employees working remotely; new digital tools being used to access customer data; and third parties being directed by customers to access their data.

Findings aside, F2 Strategy Director of Consulting Services Scott Lamont said it is difficult to measure whether truly enough focus is being put on the problem. 

That's because unless you can actively prove your efforts stopped a breach in its tracks, there are no opportunities to celebrate the fact that your approach is working.

Scott Lamont, F2 Strategy director of consulting services

It's a "no news is good news" situation and goes back to the idea of a stalemate being the best you can hope for.

"There's an argument to be made that it should be the top thing on everybody's mind all the time. So do I think that it has continued to improve? Yes. I get more questions about it as we engage with our clients on things like vendor selection and the controls around document sharing," Lamont said. "That's a sign that at least more of the executives and more of the senior IT leadership that we're engaging with are considering it to be a really critical component of what they do day to day. It impacts how they select new tools, how they support their advisors and their clients."

Asking the right questions, and adding the right family members
As firm's look to bulk up their digital defenses, Edelman said every valuable cybersecurity discussion should revolve around four important questions:

  • Do you know the person in your organization responsible for your firm's cybersecurity program?
  • Do you know if your firm has an active cybersecurity program?
  • Do you have a vendor management program?
  • Do you have an incident response plan?

But just as important as the questions are knowing how they should be answered, Edelman said. When asking these questions in your firm, he said the possible answers should be "Yes," "No," and "Yes, and I can provide evidence to support my answer."

He adds that the third option — yes with evidence — is the only right answer. Because if a breach takes place and regulators come searching for clarity, a yes without evidence is as good as a no.

"One of the major changes that the regulators did in order to create a profound impact in cyber within financial services, was we had a model before called attestation. It basically was you answer the question yes or no, and that was it," he said. "Now when you answer your question, you better think twice. If you're going to answer yes, know that the next question is always going to be about evidence. So you're almost better off saying no and then coming back and putting something in place as opposed to saying yes and not being able to prove exactly what they're requesting."

Vendor management is a major sticking point for Vikram Chugh, the chief operating officer of San Francisco-based RIA Robertson Stephens

Vikram Chugh, the chief operating officer of Robertson Stephens

Chugh, who oversees the wealth management platform at Robertson Stephens and is responsible for firm operations, said partnerships between wealth managers and fintechs are more common in today's environment as firms work to expand their services.

But once a new partnership or integration is announced, that vendor becomes part of the family. Meaning any gaps in their cybersecurity approach become gaps in your plans as well and the vendors must be vetted, with a cybersecurity due diligence plan in place.

"When we are onboarding a vendor, we want to make sure their cybersecurity policy is consistent with our needs and with what we have promised to deliver to our clients. So that's kind of the starting point," he said during a cybersecurity discussion during Financial Planning's 2023 INVEST conference. "The one drawback is that this does add time to onboard a vendor to our systems. But as a risk mitigation strategy, it's been well worth it."

During a separate INVEST 2023 session, Tiffany Magri, a regulatory advisor at Smarsh, said good vendor management begins with asking the right questions and taking good inventory of who you have invited into your firm's growing family. 

Tiffany Magri, a regulatory advisor at Smarsh

"If you haven't gone back and looked at them in the last year, two years, three years, five years, it's probably time. Can they still perform the functions that you need them to perform? Do you need them to perform more functions? Can they meet those requirements? What's changed in your business that you might need to think outside the box on and say, 'you know what, I need a new vendor for this,'" Magri said. "Additionally, I think it's so important to right size your vendor management program

"You're going to have to notify clients if you have a cybersecurity breach. So if you're working with vendors, and you haven't thought, 'who are they talking to? Where are they storing my data at?' Really think through some of those relationships as you're asking those questions and doing those vendor management risk reviews."

How AI changes the game
For a long time, cybersecurity has been a battle waged with tech but led by humans.

But how does the battlefield change as we witness the rise of the robots?

READ MORE: JPMorgan Chase using ChatGPT-like large language models to detect fraud

We already have some indication of how emerging artificial intelligence capabilities may add a new wrinkle to the conversation. 

In January, just months after ChatGPT made it into the hands of the public, researchers with cybersecurity company Cyberark successfully used the generative AI tool to create polymorphic malware, an advanced type of malicious programs that can actually alter its own code to evade detection and resist removal.

The researchers further developed their malicious code to include a component that periodically queries ChatGPT for new modules that perform malicious actions. Essentially, this means the original coders don't need to update their malware themselves in response to new security measures — the program is capable of modifying itself on the fly to meet novel challenges.

But if AI can make the attackers stronger, it can also fortify the defenders. In a May VentureBeat op-ed, Thomas Aneiro, a senior director at technical advisory firm MOXFIVE, argued that AI is going to revolutionize cybersecurity by allowing security practitioners to automate repetitive and mundane tasks.

He said it can also provide instructional aid for less-experienced security professionals.

Cataldo, meanwhile, said that AI has been around for generations. But the emerging AI that infiltrates people's lives is a different animal altogether.

"Where you have to be mindful of that is you have to ask yourself, how are these AI systems creating new entry points? Because people are accessing them more frequently, are they accessing them through the cloud? Are they accessing them some other way?" he said. "AI, with its ability to analyze and assess things faster or more fully, can also be exploited by cyber criminals to develop software that can infiltrate much faster. That increases that pace of technology. The arms race. 

"That's where AI enhances the risks that we face today in the financial services world, or any world where you're dealing with cybersecurity."

For reprint and licensing requests for this article, click here.
Technology Cyber security Cybersecurity 2023 Wealth management Practice and client management
MORE FROM FINANCIAL PLANNING