bear with what they can and want to spend on cyber defenses .
3 . Minimizing damage is just as important as blocking hacks .
The inevitability of a breach also makes identifying and implementing steps to minimize any potential damage an equally important aspect of an effective cybersecurity strategy .
Who Are The Bad Guys ?
Cybercriminals can be generally divided into two groups . One group is the state-backed or state-tolerated cybergangs that operate openly in China , Russia , Iran and North Korea . The other group is the thousands of smaller cybergangs operating in every country in the world .
All of them are after client information and assets . A client ’ s non-public personal information , when accessed by thieves , can be used for identity theft — which is now a $ 54 billion per year industry all its own . Cybercriminals also target liquid assets that can be wired out of client accounts .
Key Obligations Under The Proposed Cybersecurity Rules
The new proposed SEC regulations include a lot of language that people might see as open to interpretation , for instance that its registered firms must have “ adequate ” cybersecurity policies and procedures or risk an enforcement action , and that the policies and procedures are to be “ reasonably designed to address cybersecurity risks .” If the SEC concludes that a firm operated with “ inadequate ” cybersecurity , “ the registrant faces downside risks ” ( in other words , commission enforcement actions ).
Importantly , the rules make no differentiation between breaches resulting from indirect and direct attacks . This is problematic , since wealth managers are far more likely to be breached indirectly through clients and employees working remotely than to be hit by a direct attack .
The proposed rules are clear in saying the SEC views cybersecurity as not just the responsibility of firms but also of individual employees . RIAs would be required to self-report any material breaches to the SEC within 48 hours of being detected . The proposed rules also included expanded risk disclosure obligations , namely that wealth managers must “ in plain English , describe cybersecurity risks that could materially affect the advisory services they offer ” and that they must “ promptly ” disclose any material breaches to clients .
There are other implications in the new SEC proposals . One is that firms would have to inform their clients that their stolen money likely won ’ t be reimbursed if their custodial accounts are attacked . And any large breach could hurt a wealth manager ’ s long-term business , since it would have to be disclosed to every current , future and potential client . Another proposal obligates wealth managers to create policies limiting the cyberattack risks from insiders ( i . e ., rogue employees , vendors , etc .).
How Cybercriminals Attack Wealth Managers
Criminals attack using a variety of evolving tactics . For instance , they penetrate company systems and steal client information . They purloin credentials for accessing custodial accounts and then pose as either the client or wealth manager . They initiate fraudulent transactions , and intercept the subsequent communications meant to verify them .
Cybercriminals were also early adopters of artificial intelligence ( AI ) software and have used it to create so-called “ deep fakes ”— very accurate clones of individuals ’ voices and images , which they use in “ social engineering ” tactics . There is even a do-it-yourself video guide for creating deep fakes that can be used for Zoom calls .
Direct And Indirect Attacks
Cybercriminals directly attack weak points in company systems , usually stemming from misconfigured tech stacks or short and / or unsophisticated passwords . Approximately one million passwords are compromised every week in what are called “ brute force attacks ,” where attackers use a barrage of combinations trying to correctly guess at poorly conceived codes . A recent study showed that a computer using ChatGPT was able to correctly guess an eight-digit alphanumeric password with upper and lowercase letters , numbers , and symbols in less than one second .
Attackers also use “ malware ,” malicious software designed to get behind a wealth manager ’ s cyber defenses , export confidential client information , initiate fraudulent transactions , alter legitimate ones , and even take control of company systems . Unfortunately , every system can both be infected by and infect any device that is connected to it .
Indirect attacks are often easier for cybercriminals , who can breach wealth managers ’ systems instead by targeting clients and employees who work remotely . And insiders — i . e ., rogue employees ,
OCTOBER 2024 | FINANCIAL ADVISOR MAGAZINE | 33