Wealth firms are failing to keep pace with a growing wave of digital dangers, regulators and sector specialists have warned, after the Financial Conduct Authority identified a 187% increase in tech outages over the year to late 2017.
The regulator found that too many wealth firms either rely on outdated, manual processes to protect themselves or believe they are below the radar of malicious actors.
‘The biggest mistake that firms make is that they ignore the issue’, says Malcolm Taylor, head of cyber security at ITC Secure, which works with several wealth management firms. ‘Wealth managers are still doing a lot of business via email, and we’ve seen a lot of email compromise.’
Ironically, while some pre-digital techniques such as traditional telephone dealing and execution may be the safest simply by virtue of keeping information offline, increasing regulatory pressures to standardise, automate and record all communications may be creating vulnerabilities.
‘Cyber criminals hate human contact. We should do more of it to tighten security,’ added Taylor. So how to stay compliant while staying safe, and how can you do both cost effectively?
Of the increase in tech outages last year, almost a fifth (18%) were due to cyber security failures, said the FCA, although it added that some of the increase may be due to increased reporting.
Across the board, wealth firms are lacking in protection against threats such as phishing, DDoS (denial of service), and ransom attacks. Firms often rely on ageing systems that leave them particularly vulnerable to malicious activity.
Last year, the FCA released a report (Cyber and Technology Resilience) highlighting that smaller financial services firms were mainly reliant on manual processes, or no process at all, for detecting cyber attacks.
The regulator noted that only large firms had the systems in place to detect and respond to attacks. It also highlighted a widespread lack of staff training in this area, with only 47% of financial services firms providing additional training for employees in high-risk roles.
Wise after the event
Alan Beaney (pictured below), chief executive at RC Brown Investment Management, feels it is only after they have been targeted that many of his peers realise they are vulnerable, or identify where they may be exposed.
‘You don’t know how seriously wealth managers are taking cyber security until there’s a hack,’ he said. RC Brown uses a secure portal he adds, and will not accept client instructions via email. He also says that online access is not linked to the firm’s accounting system, and that no data is held in the cloud.
Although wealth managers are relatively small businesses, they have very valuable clients, Taylor points out. He adds that clients also themselves need to protect themselves better.
‘Ultra-high net worth individuals and famous people make really good targets. They don’t have the corporate structures to protect them[selves], so they can be incredibly exposed.’
Taylor says that clients are often ‘not getting the basics right’, with few adopting safeguards such as two-factor authentication and anti-virus software on their phone.
Sergel Woldemichael, wealth management analyst at GlobalData, said that while getting the basics right was important, more sophisticated methods of protection, using technology such as artificial intelligence, were increasingly cost effective and affordable.
‘AI has the ability to spot any unusual behaviour, detecting threats faster than an employee could,’ he said.
‘It can constantly collect information relating to successful, attempted and failed attacks. This allows it to better defend the organisation, and to learn better ways of avoiding that threat reoccurring.’
Taylor remains sceptical, however, suggesting that AI technology is still in its infancy: ‘I don’t see AI getting to grips with cyber security quickly enough, we’re not quite there yet. AI is currently always reactive, technology needs to look forward.’
The enemy within
Giulia Lupato (pictured below), senior policy advisor at Pimfa, says firms should also consider the ‘internal threat’, where employees could leak information or steal data when they leave the company. The FCA has also highlighted this issue, and said that there was ‘limited evidence of firms proactively seeking to connect the dots between cyber and other conduct issues’.
Pimfa has put together a cyber security guide, in conjunction with Charles Stanley, which simulates hacking attacks.
Lupato says that it is crucial for firms to educate their staff on potential threats. For example, companies could run exercises involving mock emails that replicate phishing attacks.
She adds: ‘You can lessen cyber risk, but you can never totally get rid of it. It’s impossible for a firm to defend against everything – not even the likes of Google and Facebook can completely offset attacks.’