We recently participated in an engaging webinar focused on cybersecurity for wealth managers. Along with our Co-Founder Ali Qureshi, there were three other panelists who are cybersecurity experts, and with experience in the financial services sector. Please click here for the link to the webinar.
The ever-present threat of cyberattacks is climbing the priority ranks for wealth managers. They need to be robust gatekeepers to fend off would-be attackers.
But where do the threats come from in the first place? What is the best way to build and maintain a cybersecurity-enabled business environment? Can the challenge of cybersecurity be turned into a value add for wealth managers?
Ali Qureshi, Chief Revenue Officer & Co-Founder of SideDrawer comments: “There is greater awareness of the problem – we are seeing and hearing this from clients and in the news. We know that it’s moving up the list. But what is lacking is the knowledge and education around when and how to take action. What is the cost of doing this now vs not doing it?”
The backdrop to this is interesting. The financial sector has always been a target in terms of the assets under management as well as the vast amounts of valuable personal data that can be stolen then sold on.
Terry Wilson, Global Partnership Director at Global Cyber Alliance, describes the specific cyber threat to the wealth management community. “The wealth sector is more of a niche sector it’s harder to attack as they aren’t transacting using banking portals. But at the same time, the motivation to attack is greater due to the amounts involved and the sensitivity of the personal data. Ransomware attacks, in particular, are a temptation because wealthy individuals have the means to pay a ransom as do the wealth management firms – protection of sensitive data and reputational risk are very real in this industry.”
Indeed, for would-be criminals, it is easy to find out how to hack into something and to practice hacking as well. Very advanced tooling is also available and this further lowers the barrier to having a go! Cybercriminals are also getting more and better organized and starting to deliver their capabilities as a service to a less skilled set of criminals, they will hack on someone’s behalf. And crypto has enabled a way to get paid from anyone. Combine this with the accessibility of hacking then it is all much less hard work and thus a growing issue.
The industry has not helped itself either. Technology adoption; SaaS, the cloud, digitalization; the pace of change is so rapid and misconfigurations are rife. It is hard to defend a complex ecosystem if it has gaps. In addition, the sheer volume of data now being produced, flowed, and stored makes it easier for cybercriminals to hide in plain sight.
But as well as adopting new technologies people are not realizing the risks in using the old ones.
David Atkinson, Founder & CEO of SenseOn comments, “there are two common attacks; emails, passwords - get a password manager and two-factor authentication to solve this, Misconfigured remote access is a third. Looking after these elements is a very good starting point.” Sharing information via email as attachments or file sharing is particularly problematic. Qureshi comments: “E-mail is a long-standing form of communication but it is so easy to make a mistake and send out information to the wrong person or be the victim of a phishing attack. There has been an increase in mailbox server attacks, many of which are not detected until well after the event. Email has to be eliminated – services that give you secure immutable access are a standard requirement now,” he says. This is all the more pressing given the emergence of the post-Covid hybrid model where face-to-face meetings are less frequent, and the need to work collaboratively, involving wider family members for multiple planning assessments and relevant, specialist financial professionals is important. People need access to information but it needs to be shared and stored securely.
To this point, many wealth managers use securitybased platforms as a selling point, as something that allows for greater levels of engagement within a secure environment. “Security is not only a reputational and operational risk but also a huge differentiator. You need to be able to show that you are safeguarding the client’s information and position yourself as someone who is promoting that. Our feedback is that when our SaaS users onboard their client, they get better levels of conversation when they see the wealth manager cares about the security and will not take emails, for example. It gives a comfort level and makes the client feel like they are being taken care of,” says Qureshi. The case for smaller wealth managers to employ a specialist third-party solution is strong. Nino Vang Vojvodic, Co-Founder & CTO of ALT/AVE comments: “Wealth managers are coming to see it as a valueadd. outsourcing and moving that risk to a third party increases the security and outsources it to someone who specializes in it so the quality and the focus is there.”
With any outsourcing however it is important to go into the detail of what the third party is providing and whether that is fit for purpose. At board level, you need to understand what the solution does and which risks it does and does not mitigate.
The industry is great at telling people what they should do but not as good as telling them how and why and the means to do so.
So many are solutions on offer and it’s hard to make sense of it all. This is why an initial risk assessment is so valuable. Vojvodic comments: “Wealth managers take custody of both money and information so both need to be risk assessed. Where does data come in and what do you do with it in terms of storage, transport, and processing. Is data taken care of as well as the actual assets? Can you identify the path of the data and thus drill into apps and processes and ensure there is an auditable process that is followed every time,” he asks?
Qureshi says that to make the best use of a third-party solution there needs to be a good internal board-level understanding of what the risks are and what the firm is looking to achieve. “With wealth management, it is not just the end client it’s the other family members and professionals and the net needs to be cast far and wide to eliminate the risk of the weakest link,” Wilson concludes that the wealth industry should apply the same focus to data security as it does to privacy and asset management. “If it can transfer this skill strategically to have the right policies and procedures in place for everyone to follow then you not only mitigate risk but you also have a strong positive differentiator,” he says.
This article is from The Wealth Mosaic's US RIA WealthTech Landscape Report 2022. Access the full report here