As custodians of large amounts of money and data on high net-worth individuals, wealth management firms can make appealing targets for threat actors. Twenty percent of cyberattacks reported to the UK’s Financial Conduct Authority (FCA) in 2018 were targeted at the wholesale and investment management sector. Yet the sector has only recently been making large-scale efforts to improve its cybersecurity.
Wealth management and cybersecurity
Wealth management firms, which are often small, may be a niche part of the financial sector, but are still subject to cybersecurity threats. “Wealth managers don’t typically have the same concerns as average consumer banking businesses,” says Ray Irving, managing director of global business services at the Financial Services Information Sharing and Analysis Center (FS-ISAC). “Customers are less likely to use online banking portals and therefore criminals have less opportunities from the customer side.”
Despite the customer behavior being slightly different, wealth management has been keen to embrace digital transformation. The Personal Investment Management and Financial Advice Association (PIMFA) reports that 95% of wealth management firms either had or were in the process of creating a digital strategy in 2019, up from 80% the year before.
High-capital financial organizations such as wealth management or private equity firms make appealing targets for threat actors, though Irving adds that many wealth management firms manage but don’t necessarily hold the wealth – which may be investments as opposed to liquid assets such as savings – meaning there may be less readily available cash for attackers to siphon away from the company. They hold large amounts of data on wealthy individuals, however, and a KPMG report found that most incidents suffered in the sector have involved client data theft or data loss.
“In addition to the usual cyber criminals trying to steal client PII and subvert payment transactions, the wealth management sector faces specific threats in the data leakage space,” Irving says. “Journalists, activists, investigators and tax authorities all want to know the confidential banking arrangements of the wealthy. Hackers, insiders and fraudsters are the most likely threat actors to provide that data.”
Wealth management a target for attackers
Until recently, wealth management firms hadn’t been so strong on transforming security. Just 39% of asset management CEOs consulted in KPMG’s 2017 CEO survey said they were fully prepared for a cyber event. “Asset management firms are not immune to a cyberattack and are likely to be an increasing target given the significant value of assets under management,” warned the KPMG’s follow-up report into cyber resilience in the sector.
Reports suggest the sector has previously lagged in terms of cybersecurity maturity compared to the rest of the financial sector. In 2018, the FCA found that some firms had done almost no testing of their security measures while other firms had a very narrow understanding of risk, meaning they hadn’t considered the damage successful cyberattacks would have on customers, other firms, or the wider market. EY's financial services cyber solutions leader Steve Holt commented at the time that the findings should be “a loud alarm call” to the UK asset management industry.
Previous reports from the FCA suggest the sector was reliant on outdated or manual processes to protect itself or often think themselves too small to be targeted. A 2017 study by Campden Wealth and Schillings found although nearly a third of high net-worth families and the firms that help manage their assets had fallen victim to cyberattacks, 38% had no cybersecurity policy in place and 51% of respondents had never audited their publicly available information.
Irving says that wealth management firms are not easy targets because many are old institutions with “a culture of confidentiality and security built up over centuries of operations,” which have been carried over into the digital space. Attacks still happen and have been costly. In 2018 London asset management firm Cheyne Capital warned that entities in Beijing may have been copying its name, logo, website address and fund information, while Seven Investment Management had to warn customers about a similar incident happening locally.
This year Check Point discovered a hacker group it named The Florentine Banker, which has been targeting private equity firms in the UK and was successful in extracting bank transfers worth £1.1 million ($1.3 million) from three firms via business email compromise (BEC) attacks targeting senior executives.
In May 2020 Norfund, a North Sea wealth fund based in Norway, lost more than $10 million in funds after what the company described as an “advance data breach” of its systems. A loan intended for a microfinance institution in Cambodia was hijacked and attackers managed to redirect the transaction to an account not belonging to the intended recipient.
“In terms of attacks, email still remains the main attack vector of choice,” says Ste Watts, head of cybersecurity at Rathbone Brothers, a UK provider of wealth management services managing over £40 billion worth of funds. “BEC is also a regular feature in the industry, as cyber criminals target staff that have access to sensitive information or are able to carry out large financial transactions. This is where a cybersecurity-aware culture is key.”
Improving cybersecurity in wealth management
More recently the sector has sought to improve its cybersecutity capabilities. The 2018 Trends in Asset Management report found 33% of asset managers view cybersecurity improvements as a key business priority and half of firms said they planned to increase cybersecurity. PIMFA’s 2019 Risk Survey claims firms have become “much more aware of the damage [cyberattacks] can cause as whole in terms of fines, client relationship and confidentiality.”
Ste Watts“In my experience, the wealth investment management sector is further ahead of where it was a few years ago and is picking up pace,” says Watts. “I think that the sector is realizing that cyber threats aren’t just a concern for large companies and that cyber criminals can attack indiscriminately. The realization that cyber criminals will often find the path of least resistance and target smaller, likely less-resourced companies that still hold large amounts of sensitive data and has access to large sums of money has resulted in cybersecurity becoming a hot topic at the boardroom table in many [wealth management] companies, and rightly so.”
As the industry as matured, Watts says collaboration between firms is also increasing to raise the collective security posture of wealth management. “As well as a greater appetite from firms to establish cybersecurity teams, I’ve also observed a lot more threat intelligence sharing and collaboration across the sector,” he says. “Along with the FCA and the Prudential Regulation Authority (PRA), organizations like PIMFA are ensuring that wealth management companies have access to more resources relating to cybersecurity and members meet regularly to share knowledge and information about cyber-crime. This increased access to resources and diverse experience means that [wealth management] companies are now better prepared for cyberattacks than they have been in the past. There’s always room for improvement, but that goes for any sector.”
Getting the business and board to understand cybersecurity
Promoting security culture is high on Watts’ agenda. A 2019 study by GlobalData found that only 43% of wealth managers are concerned about the effect of data breaches on their brand. This may be because just 31% think that their customers are concerned about data breaches and cybercrime. At the same time the FCA report found that boards had “limited familiarity with the specific cyber risks their organizations face” and that firms needed to take “proactive steps to foster a security-centric culture which transforms cyber from an IT issue to an organization-wide priority.”
“Translating technical concepts into something that a board understands – risk – is the key to getting them on-side,” says Watts. “Coming from a technical background, I realized what makes you stand out when speaking to your peers in the cybersecurity industry is not the same thing that makes you successful when speaking to the board or anyone else in the company.”
“For me, it ultimately comes down to humanizing cybersecurity as much as possible. Forget the technology and the industry buzz words and instead find the board’s ‘so what?’: So what does this mean to me and how will it help me to be more successful in my role as I drive the company forward? When you can articulate this, the conversation is always a little easier.”
Working with the business, Watts says his mantra is “know, not no” in that teaching the business about cybersecurity lets them understand risky activities. “Our job as cybersecurity leaders is to provide the information – the “know” – to the business so that they can actually recognize when the answer to their question should be ‘no’ based on risk to the business. This way, they will become more security aware and become a great ally.”
As an example, he suggests selling multi-factor authentication to business as an enabler that can result in less long-term friction to the user experience, less back-office overhead, and show customers that the company takes cybersecurity seriously. “The important thing here is to do this in a positive way by being realistic about risk whilst avoiding using FUD [fear, uncertainty and doubt] as your main reason. Instead we focus on finding a way to promote a more secure option that can still enable the business. So, a ‘no’ is turned into a ‘yes’ and we’ve added value.”